Alex108 Posted January 17, 2011 Share Posted January 17, 2011 I am writing a php script that collect some information from user and according to that sends data to an outside service. This data include username and password. The page that sends the data is protected by secure login script and also the folder is password protected by hosting. If i understand the situation correctly if somebody wants to know the password he have to read the file. If some hacker or somebody have access to my files there is no way to protect the password, so i think it is don't need any protection. Am i right? Link to comment Share on other sites More sharing options...
justsomeguy Posted January 17, 2011 Share Posted January 17, 2011 You always need protection. If you're sending that information to a third party, you'll want to make sure you're either using an encrypted protocol like HTTPS, or you're manually encrypting the information yourself so that it can be decrypted on the other end. Link to comment Share on other sites More sharing options...
boen_robot Posted January 17, 2011 Share Posted January 17, 2011 Protecting the admin page both by a web server authentication and session (script) authentication is somewhat redunant...Instead of storing the plain password (whether it's in a file or DB is out of the point), you could store a hash of it. At login attempt, have the input, and compare it to the hash you have. The hashes will only be equivalent if the passwords are, but if an attacker gets ahold of your file, they won't know your password - they'll just see the hash, and trying to find the password that generated it is not an easy task. Link to comment Share on other sites More sharing options...
ShadowMage Posted January 17, 2011 Share Posted January 17, 2011 ...if an attacker gets ahold of your file, they won't know your password - they'll just see the hash, and trying to find the password that generated it is not an easy task.I've always wondered about this whole hashing business....If there is a function that produces the hash, certainly, it must not be terribly difficult to write an opposite function that would un-hash it. Right? I've never worked with hashing or encrypting or any of that business (my applications thus far have not required it) so I could be wrong... Link to comment Share on other sites More sharing options...
justsomeguy Posted January 17, 2011 Share Posted January 17, 2011 No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the original (and using a salt would help eliminate collisions). Link to comment Share on other sites More sharing options...
Starfall Posted January 17, 2011 Share Posted January 17, 2011 If there is a function that produces the hash, certainly, it must not be terribly difficult to write an opposite function that would un-hash it. Right?No, actually it is very hard to decrypt a hash, though there are several websites which provide the service by storing hashes of many words in their databases, but they will not provide the password if it is something like "1a8djs9m". That is why you should use random passwords. Hashes like "MD5" or "SHA1" are often referred as "undecryptable". That is not right, but it is really hard to decrypt a hash, and there is no method to build a general way for it.No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the original (and using a salt would help eliminate collisions).Right, but with a proper brute forcing program all results can be scanned out and the correct result might be found if this is a form input. But still, getting the original value is really hard. I agree! Link to comment Share on other sites More sharing options...
justsomeguy Posted January 17, 2011 Share Posted January 17, 2011 Well, I don't really consider brute force as a way of decrypting. That's just trial-and-error. It's not "difficult" to un-hash a value, it's impossible. If you manage to get a value that hashes to what you're looking for, it's luck. Even the attacks against smaller hashes like MD5 require luck, they've just found methods that reduce the number of times you need to guess down to a minimum. It's still just guesswork though. Link to comment Share on other sites More sharing options...
ShadowMage Posted January 17, 2011 Share Posted January 17, 2011 No, hash functions map an infinitely large data set (in theory) down to a finite set. So there is no way to expand the hash to the original value. Assume your hash function resulted in only a single hex byte. You might have thousands of values which all get hashed to "B". If you're trying to decode "B", how do you know which original value you started with? There's not enough information there to tell you. Other hash functions work the same way, they just result in a larger hash. You may be able to find another value which results in the same hash, but you won't necessarily find the originalOh. I see.using a salt would help eliminate collisions...but it also rusts your car. Link to comment Share on other sites More sharing options...
thescientist Posted January 17, 2011 Share Posted January 17, 2011 ...but it also rusts your car. wow. Link to comment Share on other sites More sharing options...
iwato Posted January 17, 2011 Share Posted January 17, 2011 wow.Both the md5() and sha1() hash functions are available with PHP, and you may apply a salt to either. My understanding is that the SHA class of hashes is better than MD5.PHP also has a function that permits you to apply just about any hash available; it is the hash() function. This is what I will likely use when I have finally made it so far.Roddy Link to comment Share on other sites More sharing options...
thescientist Posted January 18, 2011 Share Posted January 18, 2011 my post was in response to SM's joke... i'll edit to convey my "tone" Link to comment Share on other sites More sharing options...
Alex108 Posted January 18, 2011 Author Share Posted January 18, 2011 You always need protection. If you're sending that information to a third party, you'll want to make sure you're either using an encrypted protocol like HTTPS, or you're manually encrypting the information yourself so that it can be decrypted on the other end. They (the third party) gave me a script They use sockets and HTTP/1.1 , but password and username are not encrypted. Link to comment Share on other sites More sharing options...
justsomeguy Posted January 18, 2011 Share Posted January 18, 2011 In that case, anyone monitoring traffic can read the data you're sending. Link to comment Share on other sites More sharing options...
Synook Posted January 18, 2011 Share Posted January 18, 2011 A lot of the current research into breaking cryptographic hash functions is about looking for ways to make the collision-searching process more efficient, so that a string with an equivalent hash can be found quicker – usually by finding flaws in the mathematics behind the hash that reduces the number of strings to be checked, and also by developing more efficient ways to check lots of strings quickly (e.g. with faster computers). That's why MD5 isn't considered "secure" enough any more – because through such research people have made it possible to find a collision within a reasonable amount of time. Link to comment Share on other sites More sharing options...
Alex108 Posted January 19, 2011 Author Share Posted January 19, 2011 In that case, anyone monitoring traffic can read the data you're sending. Agree with you, maybe i should tell it to my client. But you have to have a special equipment for monitoring. But it is not a big money our web service. Why serious criminals could be interested to work with it? Link to comment Share on other sites More sharing options...
ShadowMage Posted January 19, 2011 Share Posted January 19, 2011 Agree with you, maybe i should tell it to my client. But you have to have a special equipment software for monitoring. But it is not a big money our web service. Why serious criminals could be interested to work with it?Yes, you need special software to monitor traffic, but this software is often free. And not all criminals are out for money. Some do it just for the sake of destroying. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.