Not signed in (Sign In)

Categories

Vanilla 1.1.4 is a product of Lussumo. More Information: Documentation, Community Support.

Help keep Vanilla free:
Welcome Guest!
Want to take part in these discussions? If you have an account, sign in now.
If you don't have an account, apply for one now.

Vanilla: Vanilla with a pinch of salt...

Bottom of Page

1 to 11 of 11

  1.  
    •  
      CommentAuthorWallPhone
    • CommentTimeApr 28th 2006
     # 1
    Just curious if there was a reason why I don't see any salting of the password hash in Vanilla. MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be.
    •  
      CommentAuthorMark
    • CommentTimeApr 28th 2006 edited
     # 2
    It wasn't important. Version 1 is finished. That was an important goal.

    Plus, to change the way passwords are handled would be a huge pain in the ass for people upgrading to the new version with existing forums.

    Regardless, what Vanilla has is industry standard and completely acceptable.
    •  
      CommentAuthorBergamot
    • CommentTimeApr 28th 2006
     # 3
    "MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be."

    There is a collision algorithm, but it's not necessarily fast or easy.
    •  
      CommentAuthorWallPhone
    • CommentTimeApr 29th 2006 edited
     # 4
    I was referring to the lookup databases that are popping up (and seem to drop as soon as they get wise to the exponential nature of the problem)

    http://www.google.com/search?q=md5+reverse+lookup

    Aye--didin't think of the hurdles to upgrade an existing community...
    •  
      CommentAuthorMark
    • CommentTimeApr 29th 2006
     # 5
    Also, even if someone managed to get at your cookies, the passwords (md5'd or not) aren't in there. The only way they can get at your password is to (a) query the database directly - which implies that they've already gotten past your db security, or (b) monitor network traffic on your server - which implies that they've already gotten past your server security. If either of those things happened, you've got bigger problems than md5 passwords.
    •  
      CommentAuthorKrak
    • CommentTimeApr 29th 2006
     # 6
    I hear about this from time to time. I think people are really just being over paranoid.
    •  
      CommentAuthorBergamot
    • CommentTimeApr 29th 2006
     # 7
    If you ever access the site over an unencrypted wifi connection, or one that has been cracked, an observer could conceivably grab the md5 hash from the HTTP header, find a collision, and log in with that.

    In the end though, all he'd get would be your password to a forum he probably doesn't visit anyway.
    • CommentAuthorToivo
    • CommentTimeMay 1st 2006 edited
     # 8
    gosh. people use *the same* password for different sites ...
    •  
      CommentAuthorgiginger
    • CommentTimeMay 2nd 2006
     # 9
    Is this another bug?

    This thread was at the top but the post before this one says 1 day ago. I should've screenshotted. Sorry.
    •  
      CommentAuthordroozie
    • CommentTimeMay 2nd 2006
     # 10
    It might be because the post before yours, giginger, (Toivo) has been edited?
  11.  # 11
    I think it's the whisper bug mark was talking about isnt it?

1 to 11 of 11

  1.  
Add your comments
    Username Password
  • Format comments as
 
Back to Discussions Top of Page