Uridium Posted January 17, 2010 Author Posted January 17, 2010 I have figured out a new method to solve the issue with security on this mod the newer system will now.... A = When new user signsup an email is sent to the owners address with chosen password and keypass B = the txt version of the password is reset once the user has used their keypass sent to confirm their email C = The keypass once used is randomly reset and a new keypass is sent to the owners email incase of Loss of pass D = Re-inserting the new keypass into the lost password will send out the users Username and pass for that account... E = No TXT password is kept on the dbase but is cached on a secure file.. Quote
AlabamaHit Posted January 18, 2010 Posted January 18, 2010 sha1 has been cracked? Crap I didn't know that lol. Quote
Zero-Affect Posted January 18, 2010 Posted January 18, 2010 if SHA1 is infact a hash it's explosively impossible to reverse therefore the only technique of "cracking" would be to use charts and i don't imagine every single alpha + numeric + symbol submittable has been recoded in all different ways into SHA1. I really don't imagine it's possible. Quote
rulerofzu Posted January 18, 2010 Posted January 18, 2010 Both sha1 and md5 have charts that could be used against them. Much better to use one that does not in my opinion. From what I have read previously elsewhere those that work in this kind of area and consider it cracked when such tables can be done. Open to interpretation I suppose :D Quote
AlabamaHit Posted January 18, 2010 Posted January 18, 2010 That sucks I might need to rethink some of my engine, as I used sha1 to encrypt the passwords. Thanks for the info I really didn't know their was any table or nohting to work around sha1. I knew there was on md5. But sha1 should still be very safe, as really md5 is. As long as you use a good password... if you use somethign like baller then yeah it will get busted but if you use baller3938baller9 That wouldn't be in the table lol. Quote
a_bertrand Posted January 18, 2010 Posted January 18, 2010 simply add a salt inside the sha1 or md5 and you are up and running: md5("mysalt"+password); this mysalt could be system wise (stored somewhere privately) or, could be some sort of algorithm like sha1(sha1(userid)+password); With something like that, it will be impossible to find the right password out of the hash functions (or nearly impossible). Now, of course if you brute force, you will be able to find something which produce the same hash code, and therefore will allow you to enter. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.