7

Opens the source code for an app I have to integrate with.
Finds: if($cryptPW == $dbPW)
What the shit?!?!!!!!
Learn to hash! Far out 😢

Comments
  • 0
    Well, cryptPW seems to be the hashed provided password, and dbPW the hashed database-stored password....
    Looks like standard authentication checking to me, am I missing something?
  • 0
    It's done in a completely predictable way, reusing the same salt. Give me a decent gpu setup and I could crack every password in this db without breaking a sweat
  • 0
    @fSociety (I'm absolutely not expert in security) I'm surprised, I thought it was the standard procedure? Symfony authentication for example, you fetch the user, hash the password (from login form) with user salt, compare with user password (which was originally hashed with same salt)
  • 0
    Not when the same salt is used for every user. Should have explained that but I was caught up in the rant of things
Add Comment