• rc4 (disco)

    Good lord, this article again?

  • dkf (disco) in reply to rc4

    :notes: Where have we seen this code… before? :musical_note:

  • Tsaukpaetra (disco) in reply to dkf
    dkf:
    before

    It's like déjà vue or something....

  • rc4 (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    déjà vue

    Surely you mean déjà vu? It feels like we've had this conversation before...

  • Tsaukpaetra (disco) in reply to rc4
    rc4:
    feels

    I have no idea why my phone autocorrected to that...

  • boomzilla (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    It's like déjà vue or something....

    All over again?

  • tom103 (disco)

    I actually worked on an app that stored passwords in almost exactly the same way (minus the reverse). Fortunately it was a desktop app, not a server app, so it wasn't as big an issue. Still, I insisted that we switch to using DPAPI instead to encrypt the passwords...

  • lcrawford (disco)

    QRVMuZ1MSNXYtFVP , or did I make a decode mistake? That's a notably good password from an end user.

  • PWolff (disco) in reply to lcrawford
    lcrawford:
    **QRVMuZ1MSNXYtFVP** , or did I make a decode mistake? That's a notably good password from an end user.

    Or a somewhat weak password from a password generator. Unless the database won't accept any characters besides '0' to '9', 'A' to 'Z', 'a' to 'z'. Or their policy forbids other characters because they might confuse the SQL parser.

  • RiptoR (disco) in reply to lcrawford

    Yes, you made a mistake. Well, partially.

    The snippet from the article shows that the password gets base64-encoded and reversed 5 times in a row before it's stored. So you need to reverse and base64-decode 5 times too.

    The actual password you'll get after doing that is "foo".

  • DogsB (disco) in reply to tom103
    tom103:
    I actually worked on an app that stored passwords in almost exactly the same way (minus the reverse). Fortunately it was a desktop app, not a server app, so it wasn't as big an issue. Still, I insisted that we switch to using DPAPI instead to encrypt the passwords...
    Ye didn't happen to release a beta, implement the actual password code, release the product and then release a patch to undo the new password code because projects made during the beta wouldn't open in released version?

    If so I think I might know we might of met once.

  • PWolff (disco) in reply to RiptoR

    So the passwords can be assumed to be generic samples.

    Minus 0n3 WTF.

    But wouldn't it save a considerable amount of storage space if we'd rot13 encode the passwords 31 times instead?

  • tom103 (disco) in reply to DogsB

    Nope ;)

  • Quite (disco)

    The original specification was a shouted exchange with a very frustrated and infuriated boss. "Yaargh! You might as well reverse the damn thing 101 times for all the damn use it does!" and the coder thought he was talking in binary.

  • Quite (disco) in reply to DogsB
    DogsB:
    If so I think I might know we might of met once.

    Might have.

  • DogsB (disco) in reply to Quite
    Quite:
    DogsB:
    If so I think I might know we might of met once.

    Might have.

    :raising_hand:
  • RFoxmich (disco)
    Comment held for moderation.
  • rc4 (disco) in reply to Quite
    Comment held for moderation.
  • Dave_Aronson (disco)

    let them know about the data breech

    Those can be prevented with a good pair of security breeches.

  • Zylon (disco)

    I actually have one of those old Atari Portfolios in a box somewhere. Great little almost-DOS-compatible system. Really ahead of its time.

  • EatenByAGrue (disco) in reply to Dave_Aronson
    Dave_Aronson:
    Those can be prevented with a good pair of security breeches.
    They were laughing at me when I wore lederhosen to the office, but I sure showed them!
  • RevCurtisP (disco) in reply to Zylon
    Zylon:
    I actually have one of those old Atari Portfolios in a box somewhere.

    I approve of the photo not only because of the slightly obscure classic computer reference, but because I recentlY acquired an HP 95LX.

  • cellocgw (disco) in reply to Dave_Aronson

    No, it means the data is reversed (cf. "breech baby"), as the algorithm clearly shows it to be

  • RogerC (disco) in reply to RFoxmich

    I've never done any PHP programming, but I've done lots of C and C++. This comment has me puzzled, because in C/C++ that strrev would happen 4 times, not 5. Is PHP different?

  • HardwareGeek (disco) in reply to RogerC
    RogerC:
    in C/C++ that strrev would happen 4 times, not 5. Is PHP different?

    PHP is indeed "different," but not that way.

    for($i=0; $i<5; $i++)

    0, 1, 2, 3, 4 — that's 5 iterations — in any language that uses that for loop syntax.

  • john_a (disco) in reply to RiptoR

    Even an idiot like me can undo this:

    static void Main(string[] args)
    {
    	var cipher="==AUWZEdZhlTT1UMaVXTWJVU";
    
    	for(int i=0; i<5; i++)
    	{
    		var rev=cipher.Reverse().ToArray();
    		var bytes=Convert.FromBase64CharArray(rev, 0, rev.Length);
    		cipher=Encoding.UTF7.GetString(bytes);
    		Debug.WriteLine(cipher);
    		// QRVMuZ1MSNXYtFVP
    		// =QmasR3Vn1TP
    		// ==gWtljd
    		// v9mZ
    		// foo
    	}
    }
    
  • blakeyrat (disco) in reply to EatenByAGrue
    Comment held for moderation.
  • CodeSlave (disco)
    Comment held for moderation.
  • Fox (disco) in reply to CodeSlave

    :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm: :wtf: :facepalm:

  • Protoman (disco) in reply to CodeSlave

    Whoa, I must have missed the news that Slashdot is now StackOverflow.

  • CodeSlave (disco) in reply to Protoman

    Whoops... my finders slipped. - corrected.

  • RogerC (disco) in reply to HardwareGeek

    Yikes. It's Monday, that's all I can say...

  • CoyneTheDup (disco)

    Hey, at least it's not...

    function encode5t($str){
        for($i=0; $i<5; $i++){
            $str=strrev(rot13_encode($str));
        }
        return $str;
    }
    
  • dkf (disco) in reply to Protoman
    Protoman:
    Slashdot is now StackOverflow

    SlashdotOverflow…

  • JimNtexas (disco) in reply to CodeSlave

    My Eyes! The goggles do nothing!!!!!!!!!

  • herby (disco)

    $ rev | base64 -d | rev | base64 -d | rev | base64 -d | rev | base64 -d | rev | base64 -d UVJWTXVaMU1TTlhZdEZWUA==

    Easy to find out what the password is. Me? I'd use something silly like SHA1 or something stronger.

  • rc4 (disco) in reply to herby
    herby:
    something stronger.

    You should definitely be using PBKDF1/2, bcrypt, or scrypt with an appropriate number of rounds. Salted hashes alone should be considered deprecated, even SHA-512. ASICs and GPUs are getting really fast.

  • OriginalOuttascope (disco) in reply to PWolff
    PWolff:
    Or a somewhat weak password from a password generator. Unless the database won't accept any characters besides '0' to '9', 'A' to 'Z', 'a' to 'z'. Or their policy forbids other characters because they might confuse the SQL parser.

    Only a system administrator could claim that "somewhat weak" is constituted by a complexity that would take 1 million 4ghz 8 core computers, whose every single clock cycle was dedicated solely to brute forcing these passwords (miracle clock cycles that can execute an entire crack attempt in one tick I might add) over 23 thousand years to reach a 50% confidence interval. But yeah, make your users add ampersands and exclamation points. THAT will be the thing that makes the difference. SMH.

  • ben_lubar (disco) in reply to OriginalOuttascope

    d41d8cd98f00b204e9800998ecf8427f

    I defy you to find the original password that matches this MD5.<http play.golang.org/p/2G8IoMF901>

  • herby (disco) in reply to rc4

    "something stronger" is a bit mild. I suspect that the prudent (non-WTF) method would be to use something provided by someone who has greater knowledge in such things as encryption and hashes and the like.

    As everyone knows, rolling your own on such things as dates and encryption is a sure way to being quoted in some way here. Fine a proper library and use it!

  • rc4 (disco) in reply to herby

    You would use a library which provides an implementation of one of the algorithms I listed, all of which are well-known in academia and are considered secure (to various degrees; PBKDF1 > SHA1 any day even though it is old), not rolling your own should have been obvious from what I posted.

  • urkerab (disco) in reply to john_a
    john_a:
    Even an idiot like me can undo thisput the code block language inside instead of before the block:

    <!-- language: c# -->

    (I don't know whether Discurse supports code block languages, but I wish it supported quoted code blocks.)
  • rc4 (disco) in reply to ben_lubar

    Did you do something like 100 random bytes | md5sum?

  • NedFodder (disco) in reply to rc4

    Only 100 bytes? It was probably a Go program compiled into BIT, so I'd wager around 4 GB.

  • abarker (disco) in reply to herby
    herby:
    Fine a proper library and use it!

    Why would you want to fine the library you plan to use? Seems like a bad way to start off your relationship.

    If this is some way of getting back at a library for all those overdue fines you had to pay back in the day, remember that those fees were all your fault. Besides, those are a completely different type of library anyway.

  • boomzilla (disco) in reply to abarker
    Comment held for moderation.
  • Fox (disco) in reply to boomzilla
    boomzilla:
    Revenue doesn't just generate itself!

    The thread where we discuss the merits (or lack thereof) of wealthy people whose revenue generates itself is :arrows:

  • PWolff (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    déjà vue

    Who is this DJ Vue?

  • DCRoss (disco) in reply to ben_lubar
    Comment held for moderation.
  • Tsaukpaetra (disco) in reply to PWolff
    PWolff:
    Who is this DJ Vue?

    No idea, I think my keyboard knows though....

Leave a comment on “Secure Portfolio”

Log In or post as a guest

Replying to comment #:

« Return to Article