|
the username hash is impressive.
|
# ? Jul 1, 2018 14:14 |
|
|
# ? Jun 7, 2024 07:27 |
|
And md5
|
# ? Jul 1, 2018 16:30 |
|
Remember: when storing a hash in your database, always be sure to identify the hashing method in your column name.
|
# ? Jul 1, 2018 17:04 |
|
the username hash gives away that they were told "hey you know you need to hash your username/passwords" at some point but never quite figured out why
|
# ? Jul 1, 2018 18:12 |
|
To be fair () it is completely standard to store hashes in selfdescribing format, where the hash includes its salt and the hash method
|
# ? Jul 1, 2018 18:13 |
|
Yeah, you're right. I forgot about that.
|
# ? Jul 1, 2018 22:39 |
|
Xarn posted:To be fair () it is completely standard to store hashes in selfdescribing format, where the hash includes its salt and the hash method To be even fairer, even secure hash methods can be spotted quite fast. Bcrypt itself has "magic chars" at the start: $2b$ for 2014 protocol, $2a$ original, etc. And some versions even had a broken crypt_blowfish algorithm. If you live in 1999, knowing that a hash is MD5 does't help you much.
|
# ? Jul 2, 2018 03:42 |
|
You're also not supposed to secure through obscurity. The main problem is keeping them in plaintext, not that an attacker will know what hash function you use.
|
# ? Jul 2, 2018 04:04 |
|
Volguus posted:To be even fairer, even secure hash methods can be spotted quite fast. Bcrypt itself has "magic chars" at the start: $2b$ for 2014 protocol, $2a$ original, etc. And some versions even had a broken crypt_blowfish algorithm. If you live in 1999, knowing that a hash is MD5 does't help you much. It's also just a pretty safe assumption that when you see a 32 character hex string it's a md5 hash.
|
# ? Jul 2, 2018 06:59 |
|
Absurd Alhazred posted:You're also not supposed to secure through obscurity. The main problem is keeping them in plaintext, not that an attacker will know what hash function you use. yeah, merely being told what hash function is used should not help an attacker in any significant way. The protection is supposed to be provided by the resistance to bruteforcing of the function itself, so that it doesn't matter if attacker knows what it is. The fact that the hash function in use is explicitly disclosed by the database column names is entirely irrelevant. The issues are the unsuitable choice of hash function, and the fact that the plaintext is stored alongside it anyway. Also the fact that a hash of the username is stored, but that only (further) illustrates that the person who designed the system doesn't understand the purpose of hashing things in a password-based system.
|
# ? Jul 2, 2018 09:29 |
|
the best practice is actually to name your field *_md5, but to hash with something secure to throw hackers off the trail.
|
# ? Jul 2, 2018 15:36 |
|
password_md5 = SUBSTR(SHA256, 32)
|
# ? Jul 2, 2018 16:59 |
|
It would be a pretty solid troll on hopeful hackers to have a column named password_md5 containing MD5 hashes, but the plaintexts are salted bcrypt hashes.
|
# ? Jul 2, 2018 17:00 |
|
LOOK I AM A TURTLE posted:It would be a pretty solid troll on hopeful hackers to have a column named password_md5 containing MD5 hashes, but the plaintexts are salted bcrypt hashes. Where would you store the salt?
|
# ? Jul 2, 2018 17:47 |
|
Dr. Stab posted:Where would you store the salt? It's just part of the string that bcrypt emits. You just store it as an opaque string blob. Or did I miss a joke?
|
# ? Jul 2, 2018 18:00 |
|
Dr. Stab posted:Where would you store the salt? password_pepper
|
# ? Jul 2, 2018 18:08 |
|
Munkeymon posted:It's just part of the string that bcrypt emits. You just store it as an opaque string blob. But the suggestion was to only store the md5 of that string. Which won't work unless you hide the salt somewhere else.
|
# ? Jul 2, 2018 18:17 |
|
Dylan16807 posted:But the suggestion was to only store the md5 of that string. Which won't work unless you hide the salt somewhere else. Oh right
|
# ? Jul 2, 2018 18:18 |
|
Use the MD5 hash as the salt, then iterate until you hit a fixed point.
|
# ? Jul 2, 2018 18:34 |
|
Dylan16807 posted:But the suggestion was to only store the md5 of that string. Which won't work unless you hide the salt somewhere else. My plan has been foiled. Maybe we can start off by cracking the MD5 hashes as part of the login process? But I guess even MD5 isn't bad enough that you can reverse 60 character strings in real time.
|
# ? Jul 2, 2018 20:04 |
|
Dr. Stab posted:Where would you store the salt? In the pantry. Next question.
|
# ? Jul 2, 2018 20:38 |
iospace posted:In the pantry. Next question. What server specs do you recommend for Pantry? How many nodes do you usually run for applications with 250 concurrent users?
|
|
# ? Jul 2, 2018 22:04 |
|
nielsm posted:What server specs do you recommend for Pantry? How many nodes do you usually run for applications with 250 concurrent users? I'd recommend someone in decent shape, capable of lifting 15-20 pounds at once. Also has to be good with people.. As for 250 concurrent users, at least 7-10.
|
# ? Jul 2, 2018 22:21 |
|
Dr. Stab posted:Where would you store the salt? In the bluetooth speaker.
|
# ? Jul 2, 2018 22:52 |
|
Put salted bcrypt hashes in the password field, and then md5s of that in the password_md5 field! Here's the latest I'm dealing with: C++ code:
|
# ? Jul 3, 2018 15:37 |
brap posted:efficiency: good or bad? The Something Awful goons will get to the bottom of it https://twitter.com/dril/status/473265809079693312?lang=en
|
|
# ? Jul 3, 2018 17:40 |
|
https://www.youtube.com/watch?v=Q2g9d29UIzk
|
# ? Jul 4, 2018 18:30 |
|
The original Pokemon games are one part coding horror, 10 parts awesome.
|
# ? Jul 4, 2018 20:53 |
My client's database has all these characters in it and it's driving me insane. There's supposed to also be non-breaking spaces in there but I guess the forums are smart enough to correct those! Polio Vax Scene fucked around with this message at 16:42 on Jul 5, 2018 |
|
# ? Jul 5, 2018 16:26 |
|
iospace posted:The original Pokemon games are one part coding horror, 10 parts awesome. To expand on this because that was a phone post: Pokemon is probably the only thing held together with more matchsticks and rubber bands than this forum. It's easily exploited via arbitrary code execution, allowing for insane stunts on it. That's the horror. However, if you play the game normally, you'd never know. They did a lot of interesting and fun tricks to make it work, and for that, it's awesome.
|
# ? Jul 5, 2018 16:58 |
|
The original Pokemon games were exactly as well-programmed as they needed to be to become insanely successful and popular. Arguably this is the only possible definition of "good code".
|
# ? Jul 5, 2018 17:39 |
|
Doom Mathematic posted:The original Pokemon games were exactly as well-programmed as they needed to be to become insanely successful and popular. Arguably this is the only possible definition of "good code". The hardest lesson any programmer or engineer has to learn, is that good code doesn't sell.
|
# ? Jul 5, 2018 17:53 |
|
iospace posted:To expand on this because that was a phone post:
|
# ? Jul 5, 2018 18:06 |
|
itt: programmers so bad their own brains have underflowed and now they think it's a positive value
|
# ? Jul 5, 2018 18:27 |
|
ratbert90 posted:The hardest lesson any programmer or engineer has to learn, is that good code doesn't sell. It's like evolution. Good enough is all we need.
|
# ? Jul 5, 2018 21:30 |
|
iospace posted:To expand on this because that was a phone post: your avatar is about 8x as big as all the ram the game has to work with. it's not held together with matchsticks and rubber bands, it's code that knows its limits and constraints. is it security-sensitive? nope. does it need to be? nope.
|
# ? Jul 5, 2018 22:16 |
|
Suspicious Dish posted:your avatar is about 8x as big as all the ram the game has to work with. https://www.youtube.com/watch?v=Vjm8P8utT5g
|
# ? Jul 5, 2018 22:40 |
|
Suspicious Dish posted:your avatar is about 8x as big as all the ram the game has to work with. I always got a kick out of the fact that the maximum size of Windows icons (256x256) is very close to, and in some cases exceeds, the screen resolution of most arcade games of the 90s. I used to create high-resolution icons for MAME roms by screenshotting the title screens and cutting out the title/logo (and occasionally rescaling for non-square pixels). The maximum size of macOS icons is 1024x1024 IIRC, so there simply is no contest there
|
# ? Jul 5, 2018 23:06 |
|
I didn't see anything that really struck me as a horror. You jump to the pixels that make up Pikachu's rear end and weird poo poo is going to happen. Yeah, it'd be nice if they checked the boundaries but there's no defensive coding against someone using a gameshark to point your attack subroutine for whatever special ability to a picture of Pikachu's rear end.
|
# ? Jul 5, 2018 23:17 |
|
|
# ? Jun 7, 2024 07:27 |
|
Suspicious Dish posted:your avatar is about 8x as big as all the ram the game has to work with. it does have some very funny bugs though, like the move that is supposed to increase your critical hit rate actually decreases it.
|
# ? Jul 5, 2018 23:19 |