• Joshua (unregistered)

    YAY for SQL Injection.

  • Dani (unregistered)

    Could it be frist?

  • Rodnas (unregistered)

    I made this bullet-proof vest out of plain cotton, because everyone uses armour-piercing rounds nowadays plus it is easier this way.

  • (cs)

    So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

    Maybe someone should hash the colleague.

  • (cs) in reply to Steve The Cynic
    Steve The Cynic:
    So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

    Maybe someone should smoke hash with the colleague.

    ftfy

  • (cs)

    I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

  • Jerry (unregistered)

    I'm so confused! Second or third time now.. a story before noon! Did I get transported to another time zone or did Alex finally get a day job?

  • Fred (unregistered)

    As we know, md5 has been broken and it is probably only a matter of time before sha1 and sha2 fall as well. So this code is future proof.

    Now some would argue you shouldn't use md5 if you know it is borken, but that didn't stop us from using plaintext, did it?

  • Spivonious (unregistered) in reply to Jerry
    Jerry:
    I'm so confused! Second or third time now.. a story before noon! Did I get transported to another time zone or did Alex finally get a day job?

    Seriously. I was getting used to not getting an update until the afternoon. Maybe Alex got fired?

  • Nagesh (unregistered)

    Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

    I am thinking no.

    Don't be a H8R.

    I undertake project in java, if you need help with homework, contact me.

  • Ama (unregistered)

    It's a hash within a hash. Hashception.

  • Bobby Tables (unregistered)

    Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

  • David (unregistered) in reply to Steve The Cynic
    Steve The Cynic:
    So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.

    I've heard people say this before. Can someone explain why this isn't more secure? I'm not arguing that it actually is. Security is not really my field, so I'd just like someone to give me the "For Dummies" overview of why this doesn't help.

    My thought process (and clearly the guy who wrote it like this) would be that you'd have to brute force it multiple times AND know the exact order that the encryptions were applied.

    I can't be the only one in the dark, so someone help the rest of us learn something new today.

  • (cs) in reply to Nagesh
    Nagesh:
    Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

    I am thinking no.

    Don't be a H8R.

    I undertake project in java, if you need help with homework, contact me.

    Fail troll is fail, and your spelling is too atrocious even for Hinglish.. Also the amusing (or sad?) part is that this Nagesh is copy/pasting that signature every time it posts.

    To stay on topic: Developer is an idiot. 'Nuff said.

  • (cs) in reply to Bobby Tables
    Bobby Tables:
    Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

    If you know of a good easy to read reference, can you share? Thanks.

  • Nagesh (unregistered) in reply to ObiWayneKenobi

    No one care what you think neither if too lazy to evan read content.

    Don't be a H8R.

    I undertake project in java, if you need help with homework, contact me.

    ObiWayneKenobi:
    Nagesh:
    Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?

    I am thinking no.

    Don't be a H8R.

    I undertake project in java, if you need help with homework, contact me.

    Fail troll is fail, and your spelling is too atrocious even for Hinglish.. Also the amusing (or sad?) part is that this Nagesh is copy/pasting that signature every time it posts.

    To stay on topic: Developer is an idiot. 'Nuff said.

  • Machtyn (unregistered)

    For people who's browsers didn't wrap the code:

    custom_step(crypt(md5(sha1(sha2(mcrypt_cbc($password))))+
      stream_filter_append($rand,$seed,STREAM_FILTER_WRITE, $opts))+"123", $seed);
    
  • Rupee (unregistered) in reply to David
    David:
    Steve The Cynic:
    So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.
    I've heard people say this before. Can someone explain why this isn't more secure? I'm not arguing that it actually is. Security is not really my field, so I'd just like someone to give me the "For Dummies" overview of why this doesn't help.

    My thought process (and clearly the guy who wrote it like this) would be that you'd have to brute force it multiple times AND know the exact order that the encryptions were applied.

    I can't be the only one in the dark, so someone help the rest of us learn something new today.

    Performing multiple hashes can make it harder to brute force a password - because it adds a few milliseconds to your authentication process, but could add years to a brute force attack. Checkout Key Stretching. Checkout bcrypt as it has a built in mechanism to avoid the need for key stretching.

    It's interesting because Moore's Law about computer speed doubling every so often means that an algorithm that is secure today may be brute forced in 10 years time when computers are faster.

    Using different algorithms adds some strength in that if a vulnerability is discovered in one, it won't leave you open to attack.

    Having a special hashing order like in this example gives you some security through obscurity - but you can't rely on that.

    My PHP ain't great, but it looks like this guy has gone a little over the top. I reckon I'd "WTF" if I came across that - but it's not as shocking as people are making out.

  • (cs)
    ...user passwords were stored in plain-text. "But it's easier this way..."
    5 out of 5 hackers agree.
  • someone (unregistered)

    Using several hashs is actually way more secure, but using crypt as final step can be an real problem, since it only considers the first 8 characters. If the md5 is hex-encoded, we just have to find a collision of the first 4 md5 bytes to login. (on the other hand the exact password can never be found)

  • FreeMarketFan (unregistered) in reply to Ama
    Ama:
    It's a hash within a hash. Hashception.

    Actually that's a common misconception people have. The concept of hashception is me planting the hash inside your hash without you knowing...

    CAPTCHA: luctus - Dr House argued, "It's not luctus"

  • wernercd (unregistered) in reply to The Great Lobachevsky
    The Great Lobachevsky:
    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    http://en.wikipedia.org/wiki/SQL_injection

    The basics of it... to my understanding... is that the end product results in a query such as:

    statement = "SELECT * FROM users WHERE name = '" + userName + "';"

    Replace the "userName" with something like 'or 1 = 1' ending up with something like:

    SELECT * FROM users WHERE name = '' OR '1'='1';

    Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

     SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'
  • Alex (unregistered)

    The concatenation operator in PHP is ".", not "+" (addition). Because of how the addition operator performs typecasting, that line is essentially equivalent to:

    custom_step(123, $seed);

    ...except in cases where crypt returns a string that begins with "valid numeric data". Then it's the sum of the "valid numeric data" and 123 as the first argument. What counts as "valid numeric data"? Read this: http://sg.php.net/manual/en/language.types.string.php#language.types.string.conversion

  • (cs) in reply to wernercd
    wernercd:
    The Great Lobachevsky:
    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    http://en.wikipedia.org/wiki/SQL_injection

    The basics of it... to my understanding... is that the end product results in a query such as:

    statement = "SELECT * FROM users WHERE name = '" + userName + "';"

    Replace the "userName" with something like 'or 1 = 1' ending up with something like:

    SELECT * FROM users WHERE name = '' OR '1'='1';

    Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

     SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'
    Also: people who know about SQL injection because they read xkcd will prevent it by sanitizing inputs when they concatenate them into their SQL queries:
     SELECT * FROM USERS WHERE name = 'robert''; drop table users; --'

    Smart developers will just use parameterized queries and go home early.

  • THE Zuy-Guy (You Know You Love Me) (unregistered) in reply to Rupee
    Rupee:
    It's interesting because Moore's Law about computer speed doubling every so often means that an algorithm that is secure today may be brute forced in 10 years time when computers are faster.
    Moore's law doesn't concern speed per se, but tranny density. The number of trannys in a club will double every 18 months or until they implement checks at the door.
    Rupee:
    Using different algorithms adds some strength in that if a vulnerability is discovered in one, it won't leave you open to attack.
    Having several layers might prevent penetration, but that just allows me to get multiple "trophies" from the same "occasion".
    Rupee:
    Having a special hashing order like in this example gives you some security through obscurity - but you can't rely on that.
    Like I said, this stops working when the bouncers start lifting skirts.
    Rupee:
    My PHP ain't great, but it looks like this guy has gone a little over the top. I reckon I'd "WTF" if I came across that - but it's not as shocking as people are making out.
    Well, if it's two chicks, then yeah, it will distract me from this shocking bad example of php (which stands for PHP: Homosexual Penis).
  • (cs) in reply to boog
    boog:
    Smart developers will just use parameterized queries and get all the ladies.
    FTFM

    giggity...

  • Cris (unregistered) in reply to Alex
    Alex:
    The concatenation operator in PHP is ".", not "+" (addition). Because of how the addition operator performs typecasting, that line is essentially equivalent to:

    custom_step(123, $seed);

    ...except in cases where crypt returns a string that begins with "valid numeric data". Then it's the sum of the "valid numeric data" and 123 as the first argument. What counts as "valid numeric data"? Read this: http://sg.php.net/manual/en/language.types.string.php#language.types.string.conversion

    Even without this error, when you stack layers of encryption on "the real password" all the hacker has to do is brute force any input value that passes the test -- which may or may not equal the original password. So your algo becomes as strong as its weakest link. For example:

    check = super_crypt (weak_crypt (user_input)) if check = super_crypted_password_in_database ...

    Say weak_crypt only returns two bits, or a total of four possible values. Then it doesn't matter if super_crypt makes 16 passes and returns a 2048 byte string... there will still be only four possible values, and thus the hacker can pass the equals test in about 2 tries.

  • Nagesh (unregistered) in reply to wernercd
    wernercd:
    The Great Lobachevsky:
    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    http://en.wikipedia.org/wiki/SQL_injection

    The basics of it... to my understanding... is that the end product results in a query such as:

    statement = "SELECT * FROM users WHERE name = '" + userName + "';"

    Replace the "userName" with something like 'or 1 = 1' ending up with something like:

    SELECT * FROM users WHERE name = '' OR '1'='1';

    Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:

     SELECT * FROM USERS WHERE name = 'robert'; drop table users; --'

    I am not even cliking link and already knew it was some cigarette linking XKCD.

    **** off, your not clever.

  • THE Zuy-Guy (Fraudulent) (unregistered) in reply to boog
    boog:
    ...user passwords were stored in plain-text. "But it's easier this way..."
    5 out of 5 hackers agree.
    And 5 out of 6 people enjoy gang rape.

    And now you know!

  • THE Zuy-Guy (You Know You Love Me) (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    boog:
    Smart developers will just use Rohypnol and get all the ladies.
    FTFM

    giggity...

    FTFTFMFY

    I won't keep you long... I'll keep you forever...

  • Martijn (unregistered) in reply to The Great Lobachevsky
    The Great Lobachevsky:
    Bobby Tables:
    Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

    If you know of a good easy to read reference, can you share? Thanks.

    According to the article, in this particular case, you don't even have to add the SQL in the URL, you can just type it into the username field.

    I don't know of an easy reference that explains everything you need to know about SQL injection. I do know the silver bullet, however: Never, ever ever use string concatenation to create SQL queries out of user input. Always, always use parameterized queries. And fire anyone who doesn't.

  • THE Zuy-Guy (You Know You Love Me) (unregistered) in reply to THE Zuy-Guy (Fraudulent)
    THE Zuy-Guy (Fraudulent):
    boog:
    ...user passwords were stored in plain-text. "But it's easier this way..."
    5 out of 5 hackers agree.
    And 5 out of 6 people claim to enjoy gang rape.
    All 6 actually do.

    0,Vx2,Ax2 Now yer talkin'!

  • (cs)

    In addition to points already made, that $rand worries me. Is it going to be the same value every time? If so, WTF is it called $rand? If not, a user who gets his password right every time is still going to need luck to log in.

  • (cs) in reply to congnor
    congnor:
    I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

    What is matryoshka doll? Is it like Barby?

  • Andy (unregistered)

    Cargo Cult Programming!

  • (cs) in reply to Martijn
    Martijn:
    The Great Lobachevsky:
    Bobby Tables:
    Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.

    I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.

    I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)

    If you know of a good easy to read reference, can you share? Thanks.

    According to the article, in this particular case, you don't even have to add the SQL in the URL, you can just type it into the username field.

    I don't know of an easy reference that explains everything you need to know about SQL injection. I do know the silver bullet, however: Never, ever ever use string concatenation to create SQL queries out of user input. Always, always use parameterized queries. And fire anyone who doesn't.

    Hmm, this seems familiar... Anybody else sense an impending flamewar?

  • Nagesh (unregistered) in reply to Nagesh
    Nagesh:
    congnor:
    I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

    What is matryoshka doll? Is it like Barby?

    GIYF, matterhorn

  • THE Zuy-Guy (You Know You Love Me) (unregistered) in reply to C-Octothorpe
    C-Octothorpe:
    Hmm, this seems familiar... Anybody else sense an impending flamewar?
    No, but I sense an approaching flamer.

    Hey! C-Octo! Good to see ya!

    I WANT TO FUCK YOUR BRAINS OUT!

  • geoffrey (unregistered)

    The real smart developers don't even use SQL, they spin their own custom in-house database system, or use a slightly less obscure 3rd party database system.

    The smart hackers will be put off when they realize the backend of the website is not even using SQL and will go off for an easier target.

    It's not a popular view I know. But that's because the widespread belief that "industry standard" database systems using SQL should be chosen in development is pure dogma driven by a desire to not have to bother writing a DBS or to bother knowing how to write one.

  • (cs) in reply to Nagesh
    Nagesh:
    Nagesh:
    congnor:
    I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...

    What is matryoshka doll? Is it like Barby?

    GIYF, matterhorn

    :consfued:

  • (cs)

    Whoever's running Nagesh is really lonely today, isn't he?

  • (cs)

    Found it.

    http://en.wikipedia.org/wiki/Matryoshka_doll

  • trtrwtf (unregistered) in reply to Zylon
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?

    What makes you think it's one person?

  • (cs) in reply to geoffrey
    geoffrey:
    The real smart developers don't even use SQL, they spin their own custom in-house database system, or use a slightly less obscure 3rd party database system.

    The smart hackers will be put off when they realize the backend of the website is not even using SQL and will go off for an easier target.

    It's not a popular view I know. But that's because the widespread belief that "industry standard" database systems using SQL should be chosen in development is pure dogma driven by a desire to not have to bother writing a DBS or to bother knowing how to write one.

    3/10. Funny, but a little forced. Let's see how many bites you get...

  • Tom (unregistered) in reply to pjt33
    pjt33:
    In addition to points already made, that $rand worries me. Is it going to be the same value every time? If so, WTF is it called $rand? If not, a user who gets his password right every time is still going to need luck to log in.

    Therein lies the security...

  • Nagesh (unregistered) in reply to Zylon
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?
    I am having to study very hard: trying to get getting Java 1.4 certification.
  • Tom (unregistered) in reply to trtrwtf
    trtrwtf:
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?
    What makes you think it's one person?
    Perhaps they're all lonely.

    If only there were some kind of network where they could connect with each other and exchange pictures of their winkies or something.

  • THE Zuy-Guy (You Know You Love Me) (unregistered) in reply to trtrwtf
    trtrwtf:
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?
    What makes you think it's one person?
    I wish I was more than one person - I'm lonely too!

    Love me internet!

  • (cs) in reply to trtrwtf
    trtrwtf:
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?

    What makes you think it's one person?

    Indeed, I'd wager it's at the very least three high-schoolers crowded around the same school computer. Possibly four or five.

  • (cs) in reply to boog
    boog:
    trtrwtf:
    Zylon:
    Whoever's running Nagesh is really lonely today, isn't he?

    What makes you think it's one person?

    Indeed, I'd wager it's at the very least three high-schoolers crowded around the same school computer. Possibly four or five.
    High school? Me thinks you're giving too much credit to this "hive mind"...

Leave a comment on “Bullet-proof Encryption”

Log In or post as a guest

Replying to comment #363635:

« Return to Article