Comment On Bullet-proof Encryption

YAY for SQL Injection.

Could it be frist?

I made this bullet-proof vest out of plain cotton, because everyone uses armour-piercing rounds nowadays plus it is easier this way.

So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

Maybe someone should hash the colleague.

Steve The Cynic:

So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

Maybe someone should smoke hash with the colleague.

ftfy

I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

I'm so confused! Second or third time now.. a story before noon! Did I get transported to another time zone or did Alex finally get a day job?

As we know, md5 has been broken and it is probably only a matter of time before sha1 and sha2 fall as well. So this code is future proof.

Now some would argue you shouldn't use md5 if you know it is borken, but that didn't stop us from using plaintext, did it?

Jerry:

I'm so confused! Second or third time now.. a story before noon! Did I get transported to another time zone or did Alex finally get a day job?

Seriously. I was getting used to not getting an update until the afternoon. Maybe Alex got fired?

Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

I am thinking no.

Don't be a H8R.

I undertake project in java, if you need help with
homework, contact me.

It's a hash within a hash. Hashception.

Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

Steve The Cynic:

So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

I've heard people say this before. Can someone explain why this isn't more secure? I'm not arguing that it actually is. Security is not really my field, so I'd just like someone to give me the "For Dummies" overview of why this doesn't help.

My thought process (and clearly the guy who wrote it like this) would be that you'd have to brute force it multiple times AND know the exact order that the encryptions were applied.

I can't be the only one in the dark, so someone help the rest of us learn something new today.

Nagesh:

Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

I am thinking no.

Don't be a H8R.

I undertake project in java, if you need help with
homework, contact me.

Fail troll is fail, and your spelling is too atrocious even for Hinglish.. Also the amusing (or sad?) part is that this Nagesh is copy/pasting that signature every time it posts.

To stay on topic: Developer is an idiot. 'Nuff said.

Bobby Tables:

Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

If you know of a good easy to read reference, can you share? Thanks.

No one care what you think neither if too lazy to evan read content.

Don't be a H8R.

I undertake project in java, if you need help with
homework, contact me.

ObiWayneKenobi:

Nagesh:

Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

I am thinking no.

Don't be a H8R.

I undertake project in java, if you need help with
homework, contact me.

Fail troll is fail, and your spelling is too atrocious even for Hinglish.. Also the amusing (or sad?) part is that this Nagesh is copy/pasting that signature every time it posts.

To stay on topic: Developer is an idiot. 'Nuff said.

For people who's browsers didn't wrap the code:

custom_step(crypt(md5(sha1(sha2(mcrypt_cbc($password))))+

  stream_filter_append($rand,$seed,STREAM_FILTER_WRITE, $opts))+"123", $seed);

David:

Steve The Cynic:

So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

I've heard people say this before. Can someone explain why this isn't more secure? I'm not arguing that it actually is. Security is not really my field, so I'd just like someone to give me the "For Dummies" overview of why this doesn't help.

My thought process (and clearly the guy who wrote it like this) would be that you'd have to brute force it multiple times AND know the exact order that the encryptions were applied.

I can't be the only one in the dark, so someone help the rest of us learn something new today.

Performing multiple hashes can make it harder to brute force a password - because it adds a few milliseconds to your authentication process, but could add years to a brute force attack. Checkout Key Stretching. Checkout bcrypt as it has a built in mechanism to avoid the need for key stretching.

It's interesting because Moore's Law about computer speed doubling every so often means that an algorithm that is secure today may be brute forced in 10 years time when computers are faster.

Using different algorithms adds some strength in that if a vulnerability is discovered in one, it won't leave you open to attack.

Having a special hashing order like in this example gives you some security through obscurity - but you can't rely on that.

My PHP ain't great, but it looks like this guy has gone a little over the top. I reckon I'd "WTF" if I came across that - but it's not as shocking as people are making out.

...user passwords were stored in plain-text. "But it's easier this way..."

5 out of 5 hackers agree.

Using several hashs is actually way more secure, but using crypt as final step can be an real problem, since it only considers the first 8 characters. If the md5 is hex-encoded, we just have to find a collision of the first 4 md5 bytes to login. (on the other hand the exact password can never be found)

Ama:

It's a hash within a hash. Hashception.

Actually that's a common misconception people have. The concept of hashception is me planting the hash inside your hash without you knowing...

CAPTCHA: luctus - Dr House argued, "It's not luctus"

The Great Lobachevsky:

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

http://en.wikipedia.org/wiki/SQL_injection

The basics of it... to my understanding... is that the end product results in a query such as:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

Replace the "userName" with something like 'or 1 = 1' ending up with something like:

SELECT * FROM users WHERE name = '' OR '1'='1';

Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

 SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'

The concatenation operator in PHP is ".", not "+" (addition). Because of how the addition operator performs typecasting, that line is essentially equivalent to:

custom_step(123, $seed);

...except in cases where crypt returns a string that begins with "valid numeric data". Then it's the sum of the "valid numeric data" and 123 as the first argument. What counts as "valid numeric data"? Read this: http://sg.php.net/manual/en/language.types.string.php#language.types.string.conversion

wernercd:

The Great Lobachevsky:

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

http://en.wikipedia.org/wiki/SQL_injection

The basics of it... to my understanding... is that the end product results in a query such as:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

Replace the "userName" with something like 'or 1 = 1' ending up with something like:

SELECT * FROM users WHERE name = '' OR '1'='1';

Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

 SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'

Also: people who know about SQL injection because they read xkcd will prevent it by sanitizing inputs when they concatenate them into their SQL queries:

 SELECT * FROM USERS WHERE name = 'robert''; drop table users; --'

Smart developers will just use parameterized queries and go home early.

Rupee:

It's interesting because Moore's Law about computer speed doubling every so often means that an algorithm that is secure today may be brute forced in 10 years time when computers are faster.

Moore's law doesn't concern speed per se, but tranny density. The number of trannys in a club will double every 18 months or until they implement checks at the door.

Rupee:

Using different algorithms adds some strength in that if a vulnerability is discovered in one, it won't leave you open to attack.

Having several layers might prevent penetration, but that just allows me to get multiple "trophies" from the same "occasion".

Rupee:

Having a special hashing order like in this example gives you some security through obscurity - but you can't rely on that.

Like I said, this stops working when the bouncers start lifting skirts.

Rupee:

My PHP ain't great, but it looks like this guy has gone a little over the top. I reckon I'd "WTF" if I came across that - but it's not as shocking as people are making out.

Well, if it's two chicks, then yeah, it will distract me from this shocking bad example of php (which stands for PHP: Homosexual Penis).

boog:

Smart developers will just use parameterized queries and get all the ladies.

FTFM

giggity...

Alex:

The concatenation operator in PHP is ".", not "+" (addition). Because of how the addition operator performs typecasting, that line is essentially equivalent to:

custom_step(123, $seed);

...except in cases where crypt returns a string that begins with "valid numeric data". Then it's the sum of the "valid numeric data" and 123 as the first argument. What counts as "valid numeric data"? Read this: http://sg.php.net/manual/en/language.types.string.php#language.types.string.conversion

Even without this error, when you stack layers of encryption on "the real password" all the hacker has to do is brute force any input value that passes the test -- which may or may not equal the original password. So your algo becomes as strong as its weakest link. For example:

check = super_crypt (weak_crypt (user_input))
if check = super_crypted_password_in_database ...

Say weak_crypt only returns two bits, or a total of four possible values. Then it doesn't matter if super_crypt makes 16 passes and returns a 2048 byte string... there will still be only four possible values, and thus the hacker can pass the equals test in about 2 tries.

wernercd:

The Great Lobachevsky:

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

http://en.wikipedia.org/wiki/SQL_injection

The basics of it... to my understanding... is that the end product results in a query such as:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

Replace the "userName" with something like 'or 1 = 1' ending up with something like:

SELECT * FROM users WHERE name = '' OR '1'='1';

Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

 SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'

I am not even cliking link and already knew it was some cigarette linking XKCD.

**** off, your not clever.

boog:

...user passwords were stored in plain-text. "But it's easier this way..."

5 out of 5 hackers agree.

And 5 out of 6 people enjoy gang rape.

And now you know!

C-Octothorpe:

boog:

Smart developers will just use Rohypnol and get all the ladies.

FTFM

giggity...

FTFTFMFY

I won't keep you long... I'll keep you forever...

The Great Lobachevsky:

Bobby Tables:

Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

If you know of a good easy to read reference, can you share? Thanks.

According to the article, in this particular case, you don't even have to add the SQL in the URL, you can just type it into the username field.

I don't know of an easy reference that explains everything you need to know about SQL injection. I do know the silver bullet, however: Never, ever ever use string concatenation to create SQL queries out of user input. Always, always use parameterized queries. And fire anyone who doesn't.

THE Zuy-Guy (Fraudulent):

boog:

...user passwords were stored in plain-text. "But it's easier this way..."

5 out of 5 hackers agree.

And 5 out of 6 people claim to enjoy gang rape.

All 6 actually do.

0,Vx2,Ax2 Now yer talkin'!

In addition to points already made, that $rand worries me. Is it going to be the same value every time? If so, WTF is it called $rand? If not, a user who gets his password right every time is still going to need luck to log in.

congnor:

I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

What is matryoshka doll? Is it like Barby?

Cargo Cult Programming!

Martijn:

The Great Lobachevsky:

Bobby Tables:

Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

If you know of a good easy to read reference, can you share? Thanks.

According to the article, in this particular case, you don't even have to add the SQL in the URL, you can just type it into the username field.

I don't know of an easy reference that explains everything you need to know about SQL injection. I do know the silver bullet, however: Never, ever ever use string concatenation to create SQL queries out of user input. Always, always use parameterized queries. And fire anyone who doesn't.

Hmm, this seems familiar... Anybody else sense an impending flamewar?

Nagesh:

congnor:

I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

What is matryoshka doll? Is it like Barby?

GIYF, matterhorn

C-Octothorpe:

Hmm, this seems familiar... Anybody else sense an impending flamewar?

No, but I sense an approaching flamer.

Hey! C-Octo! Good to see ya!

I WANT TO FUCK YOUR BRAINS OUT!

The real smart developers don't even use SQL, they spin their own custom in-house database system, or use a slightly less obscure 3rd party database system.

The smart hackers will be put off when they realize the backend of the website is not even using SQL and will go off for an easier target.

It's not a popular view I know. But that's because the widespread belief that "industry standard" database systems using SQL should be chosen in development is pure dogma driven by a desire to not have to bother writing a DBS or to bother knowing how to write one.

Nagesh:

Nagesh:

congnor:

I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

What is matryoshka doll? Is it like Barby?

GIYF, matterhorn

:consfued:

Whoever's running Nagesh is really lonely today, isn't he?

Found it.

http://en.wikipedia.org/wiki/Matryoshka_doll

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

What makes you think it's one person?

geoffrey:

The real smart developers don't even use SQL, they spin their own custom in-house database system, or use a slightly less obscure 3rd party database system.

The smart hackers will be put off when they realize the backend of the website is not even using SQL and will go off for an easier target.

It's not a popular view I know. But that's because the widespread belief that "industry standard" database systems using SQL should be chosen in development is pure dogma driven by a desire to not have to bother writing a DBS or to bother knowing how to write one.

3/10. Funny, but a little forced. Let's see how many bites you get...

pjt33:

In addition to points already made, that $rand worries me. Is it going to be the same value every time? If so, WTF is it called $rand? If not, a user who gets his password right every time is still going to need luck to log in.

Therein lies the security...

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

I am having to study very hard: trying to get getting Java 1.4 certification.

trtrwtf:

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

What makes you think it's one person?

Perhaps they're all lonely.

If only there were some kind of network where they could connect with each other and exchange pictures of their winkies or something.

trtrwtf:

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

What makes you think it's one person?

I wish I was more than one person - I'm lonely too!

Love me internet!

trtrwtf:

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

What makes you think it's one person?

Indeed, I'd wager it's at the very least three high-schoolers crowded around the same school computer. Possibly four or five.

boog:

trtrwtf:

Zylon:

Whoever's running Nagesh is really lonely today, isn't he?

What makes you think it's one person?

Indeed, I'd wager it's at the very least three high-schoolers crowded around the same school computer. Possibly four or five.

High school? Me thinks you're giving too much credit to this "hive mind"...