• (cs) in reply to hoodaticus

    I don't blame you.

    BTW- I spent many an inebriated weekend in Charlotte (in the 90's) and can say you're in a pretty nice location as well.

  • (cs) in reply to frits
    frits:
    I don't blame you.

    BTW- I spent many an inebriated weekend in Charlotte (in the 90's) and can say you're in a pretty nice location as well.

    Thanks. I don't mind it, but I came here from San Diego and ZOMG, that place fits me like a glove. If only I could transfer there :(.

  • Plato (unregistered) in reply to hoodaticus
    hoodaticus:
    I also used to believe in the law... before law school. Now I'm an anarchist.
    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
  • (cs) in reply to Plato
    Plato:
    hoodaticus:
    I also used to believe in the law... before law school. Now I'm an anarchist.
    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
    The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.
  • (cs) in reply to hoodaticus
    hoodaticus:
    Plato:
    hoodaticus:
    I also used to believe in the law... before law school. Now I'm an anarchist.
    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
    The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.
    Sounds like basic self-preservation. Those are all good occupations for hiding out. Bonus: The whole power trip thing.
  • Plato (unregistered) in reply to hoodaticus
    hoodaticus:
    Plato:
    hoodaticus:
    I also used to believe in the law... before law school. Now I'm an anarchist.
    Good people do not need laws to tell them to act responsibly, while bad people will change the laws to suit their desires.
    The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.
    FTFM
  • (cs) in reply to frits
    frits:
    hoodaticus:
    Plato:
    hoodaticus:
    I also used to believe in the law... before law school. Now I'm an anarchist.
    Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws.
    The highest concentration of psychopaths by career is probably in politics, law, and law enforcement.
    Sounds like basic self-preservation. Those are all good occupations for hiding out. Bonus: The whole power trip thing.
    This thread, I like very much. Thanks.
  • ALH (unregistered) in reply to Dani

    Seems to me they are storing it in the database as plain text but pulling it out encrypted. If this is the case, and it looks that way from the query, then this is bad.

  • (cs) in reply to ALH
    ALH:
    Seems to me they are storing it in the database as plain text but pulling it out encrypted. If this is the case, and it looks that way from the query, then this is bad.

    Very much so.

    Until two things change, we'll always see horror stories like this.

    1. Managers who get software budget advice like "We could go with 32 installs of Win7, Office, YaddaYadda... for $xxxx, and $xxxxx for the MS server config;$xxxxx if we go Oracle; or we could do OpenOffice for workstations and setup a LAMP server for $0..."
    • they have no idea why prices vary so much, just that they do. Armed with the knowledge that "A very well informed person can cleverly save money AND get a superior product" they go off and make horribly uninformed decisions.
    1. There is no industry that can match software development for "hiding the cut corners" while still deploying a "working" solution.
    • they only ever test the standard "General User Experience" and wouldn't even know where to start to check any other quality factors, such as security, load handling, conflict locks, etc.

    Question to clever bosses: "If I was an Indian programmer with all the grand powers over time and space to deliver five-six figure high-order solutions on a four figure budget, why f**ing why in God's name would I be stuck here paid by the Rupee doing this sht for you cheap a-holes?"

  • 50% Opacity (unregistered) in reply to Those who live in glass houses...
    Those who live in glass houses...:
    I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.
    encrypt |enˈkript|
    verb [ with obj. ]
    convert (information or data) into a cipher or code
    
    cipher |ˈsīfər|
    noun
    a secret or disguised way of writing; a code
    
    code |kōd|
    noun
    a system of words, letters, figures, or other symbols substituted for other words, letters
    

    Now contrast this with:

    hash |haSH|
    noun
    a dish of cooked meat cut into small pieces and cooked again, usually with potatoes.
    • a finely chopped mixture: a hash of raw tomatoes, chilies, and coriander.
    • a mixture of jumbled incongruous things; a mess.
    

    SHA1 falls in the latter category. Which is also why it's not called "enhash" and "dehash", because a hash is not encryption.

  • Luiz Felipe (unregistered) in reply to Coyne
    $result = mysql_query(
      "SELECT * FROM users " .
      " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 
      "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");
    

    //how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl

    var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );

  • Luiz Felipe (unregistered) in reply to Coyne
    $result = mysql_query(
      "SELECT * FROM users " .
      " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 
      "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");
    

    //how i fix it, first whipe php, there is [node_js|asp_net|jsp], second only [oracle|sqlserver|db2] are true relational databases. //second put 2 columns, digest and salt //thirt, dont pass the password in querystring, never. //dont forget to put ssl

    var result = dbutil.executeDataTable ( conn, "SELECT * FROM users " . " WHERE passwordigest = HASHBYTES('sha1', passwordsalt + @pwd )", Request.Form.Item["password"] );

  • Tharg (unregistered)

    only one or two folks seem to be aware that the Secure Hashing Algorithm does what is says on the tin, and hashes. it has nothing to do with encryption.

  • Dirk (unregistered) in reply to Stev
    Stev:
    And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.
    Read the code again noob, they were stored in plain text.
  • confuzzled (unregistered)

    Can someone explain "Nagesh"? Is that a person?

  • Andrew M (unregistered)

    What's even worse than this being stored in plain-text, is the fact that the database has to calculate a hash on every single row in the table in order to return the result. That is not a quick query!

  • BOB (unregistered)

    Most people are missing the point that SHA1 is NOT encryption, it is a HASH function.

    If something is encrypted, then it can be un-encrypted, you cannot take a SHA1 Hash and directly recover the original string because SHA1 is a HASH function.

    What you can do is take a plain text string and run it through SHA1 to compare the resultant hash, but that is NOT decryption of the original SHA1 string.

    Since it is a hash, this may mean that there may be multiple Key clashes due to weaknesses in the mathematics used to generate SHA1.

  • God programmer guy (unregistered) in reply to Bobby's mom

    I'm so used to using parameterized queries that I didn't actually see the security hole until this comment. This code isn't just poorly written, it's an outright liability...

  • Duis (unregistered) in reply to Those who live in glass houses...

    Encryption is when you are able to recover the plain text you encrypt. SHA1 is hashing function and by construction is a 'one-way' function. So you won't be able to recover the plain text from its digest.

  • Duis (unregistered) in reply to Those who live in glass houses...
    Those who live in glass houses...:
    I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.

    An this is for all you pathetic jackwagons posting in SHA1:

    68a6a81ff9352dfd1910c2907451fb726886328b

  • ste (unregistered) in reply to GettinSadda

    The passwords are in clear text, because it's using SHA1 both sides of the assignment, but is not SQL-injectable, at least not in this queries, because any text inserted will be converted in a hex number.

  • Valued Service (unregistered) in reply to hoodaticus
    hoodaticus:
    I'm not contracting now, but my last contract job was so very bad, that I actually kept an evidence file and complaint outline up to date until the job was done (which was when I manipulated them into triggering my escape clause).

    Law should be like a battle card game.

    Contractor: As per the contract (rustles paper), you've triggered my trap clause!!!

    Employer: Which triggers my double entendre which also stands as a "no liability" for work done clause.

    Contractor: Except I own 20% of the web land valley share. Which means I get vote on web allocation, and so I threaten to polymorph your adspace into ponies.

    Employer: We submit out of court settlement. 80% of pay par contract, 20% in futures.

    Contractor: Deal!

  • John Wheal (unregistered)

    I know that this is an old post but I'm a little confused why everyone is making such a fuss. The SHA1 is doing nothing but I can see no way to inject SQL by a hacker to gain access. Have I missed something?

  • Axel (unregistered)

    Fast, cheap, good: pick two. Unless one of then is "good." Then you only get to pick one.

Leave a comment on “Top-grade, SHA1 Encryption”

Log In or post as a guest

Replying to comment #:

« Return to Article