Learn More
Resend Email
51
MoreCoffee
6y

No, MD5 hash is not a safe way to store our users' passwords. I don't care if its been written in the past and still works. I've demonstrated how easy it is to reverse engineer and rainbow attack. I've told you your own password for the site! Now please let me fix it before someone else forces you to. We're too busy with other projects right now? Oh, ok then, I'll just be quiet and ignore our poor security. Whilst I'm busy getting on with my other work, could you figure out what we're gonna do with the tatters of our client's business (in which our company owns a stake) in the aftermath of the attack?

rant

hacking

passwords

md5 only

data breach
Favorite
Ranter
Comments
  • 6
    6y
    Haveibeenpwned
  • 3
    6y
    @zlice I demonstrated it using one of those sites by decoding their own password and secret question answer in front of them. They were just like, wow, that's cool. I've tried to explain rainbow attacks, to no avail. I think they just don't want to fix because we'd have to ask users to change passwords. Of course, I could just reverse engineer most of the passwords and rencrypt in a more secure way, but there are thousands of users and no guarantee of correct md5 lookups.
  • 7
    6y
    >dumps db
    >opens hashcat
    >loads own 15gb wordlist
    >10 seconds later
    >db cracked
  • 1
    6y
    Since last Friday that's Illegal i guess. And don't you get fined 4% of the companies revenue for data breaches according to the new GDPR law.
  • 3
    6y
    Usually there is no need to ask for password change, just reencrypt on the next login.
  • 0
    6y
    @ydfntn meaning that you check if the pass is correct, then re-encrypt, right?
  • 0
    6y
    @chabad360 Exactly. This way insecure password hashes of inactive users can linger, but if that is a concern you can always send out password reset emails for them.
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment