156

I was reviewing one dev's work. It was in PHP. He used MD5 for password hashing. I told him to use to password_hash function as MD5 is not secure...

He said no we can't get a password from MD5 hashed string. It's one way hashing...

So I asked him to take couple of passwords from the users table and try to decode those in any online MD5 decoder and call me after that if he still thinks MD5 is secure.

I have not got any call from him since.

Comments
  • 27
    Well played.
  • 23
    Either that, or he doesn't want to call you to let you know that you're right and he still hasn't changed anything because of pure arrogance.
  • 12
    @iSwimInTheC You are correct. I just checked from his boss, who has assigned me for review.

    Someone else will see that and will post "PHP is not secure". A usual thing now a days.
  • 1
    @iSwimInTheC or ignorance 🤷‍♂️
  • 1
    Fun fact when I did my Thesis I developed a website which you could register and do stuff. I used MD5 as well hahahha xD
  • 0
    @Envydiv been there too xD
  • 2
    @Envydiv it's understandable. You were doing your first project and didn't know how to do it properly. Most of us did that.

    But doing the same mistake even after knowing the what should be done is what I'm concerned about.
  • 3
    Besides the algorithm, you also need to salt the data
  • 5
    Or you'll still be vulnerable to rainbow tables attacks. So stick "foo54!" at the beginning and "++bar" at the end so you can still hash and compare but foo54!password++bar won't be found hashed in rainbow tables the way password is.
  • 5
    @wbrianwhite actually salt option is deprecated as of PHP 7.0.0. PASSWORD_ARGON2I is good enough without any additional option, but you can increase the cost and other options depending on your hardware.

    You can check it at https://secure.php.net/password_has...
  • 8
    this is fucking happening in real world, checkout this issue https://github.com/johnathanmartin/... 🙃🙃
  • 0
    Come, let us pray for balloon hashing to arrive soon.
  • 3
    @abdilahrf haha how :P
  • 3
    @abdilahrf This is so stupid. Thanks for the link but now I have to wash the stains from my eyes.
  • 0
    🌈 Tables ♥
  • 0
    So how can a hash be decrypted though or is it just because passwords aren't long enough to produce conflicts? so basically just need a conversion table to get the original string?
  • 1
    @billgates

    Pretty much same as using wordlist.
  • 0
    @rsync so if I use a password that is generated randomly, then it can't be decrypted? It's just an issue it's dumb people using coming passwords like 1234?
  • 1
    @billgates

    As far as I understand yes. But the hashlists are billions long and have just about everything in them. But my understanding is same as brute Force.
  • 0
    Fun fact: if you type your password in plaintext in a comment, DevRant automatically stars it out for you.

    For example: ********
Add Comment