Newgrounds.com — Everything, By Everyone.

Ok, if I was to make a flat-file login would this be secure enough?
- I md5 hashed the name/pass to have that extra bit of security.
- Have the login only accessible from one IP (Yeah I know this isn't all to good but... tongue.gif)
- used addslashes() to escape basic attacks on the input.
HTML

<?php
$name = md5(addslashes($_POST['name']));
$pass = md5(addslashes($_POST['pass']));
$ipAuth = "127.0.0.1";
$authAdm = "e64b78fc3bc91bcbc7dc232ba8ec59e0"; // Is 'Admin123'
$authPass = "c25fed934c5ae9135776382aae5f9b18"; // Is 'helloWoot!!'
$ip = $_SERVER['REMOTE_ADDR'];
if(!empty($name) == $authAdm && !empty($pass) == $authPass $$ $ip == $ipAuth){
echo "Here is your uber leet secret info yo!";
}else{
echo "Wrong Name/Pass Supplied! Or IP doesn't match up!";
die();
}
?>

See any possible attacks/exploits?

Well no. People could just view all the user's passes in the txt file. use databases.

At 6/7/06 07:40 PM, Rellizate wrote: Well no. People could just view all the user's passes in the txt file. use databases.

What if he puts the text file above the root directory? I believe that would secure it.

Don't use just md5, it's crackable.

Do something like:
$name = md5(sha1(base64_encode($_POST['name'])));
$pass = md5(sha1(base64_encode($_POST['pass'])));

And don't worry about running addslashes, it doesnt matter because your just going to encode the string anyways.

At 6/7/06 07:42 PM, GamesCool wrote: What if he puts the text file above the root directory? I believe that would secure it.

Just use .htaccess to secure the directory

What if the user doesn't have a static IP? Also, password salting is a good idea.
Read.

If they don't have a static ip, then just check the ip range.

How would you append in PHP? Because I could do....

$key = md5($_POST['key']);
$pass = md5($_POST['pass']);
$final = append($key, $pass);

//final = "dbe7f58b1727c7990faaab4738a54e7e";
//They'd never know where pass begins.
//final in plain-text is: 994320320983wootZ!@#$
// Where as: 99432 could be my key and the rest the actuall pass.

At 6/7/06 07:40 PM, Rellizate wrote: Well no. People could just view all the user's passes in the txt file. use databases.

TXT File? I would never store the name/pass in *.txt I mean for a Admin-Login to edit pages etc... This sould be perfect seeing as the name/pass would be md5 encrypted inside a *.php file

I still think you should use multiple encryptions, because md5 can be cracked.

As can ANY other encryption..... What is doulbling/tripling a string gonna honestly do? If they get in to the source to retrieve the encrypted pass/name aren't they gonna see the encryption I have on it anyways? and Decrypt it in the reverse order? And besides you know how hard it is to crack a GOOD string encrypted with md5? I'm talking like 5 lower-case 5 upper-case 7-14 charcters and it's all scrambled? I'm not talking a 'helloThisIsMyPass!' I mean to md5 something like '$!^crackTHISbIaT!cH$$!()@!009844'

It's a LOT easier to crack a md5 then you know.

And if you use multiple encrytions then encrypt it again then use your own encryption and then maybe cut the string in half, and do more stuff to it, it will not only make the decryption a longer process but won't guarentee success for the "hacker".

But if you just have ONE simple encryption verses multiple complicated executions, which one would you choose?

At 6/7/06 10:46 PM, bigftballjock wrote: It's a LOT easier to crack a md5 then you know.

To my knowledge, the only way to "crack" md5 is bruteforcing... anyway, since it's so easy for you, maybe you want to show us a little demo... so, what is :
edb707ff4d481f274d360e8cff32d2ff ? (to help you, it contains 17 characters)
This one : 7e4f29b77429202024e916268abc41ba is very easier...
All this to say that, as Jcrypt said, the main problem is how complicated the password is...

For one, I never said that I could crack a md5, I just said it's easy to crack them for people that know how to. All you need to do is use a bunch of forelse loops, and everysingle known character that could be used in a password, and of course and very good host. Yes I've done it before, but only for a few character long passwords, because of course, hosts aren't that reliable when it comes to bruteforcing (yes thats how you must do it).

So yeah I'm sorry I kind of shouted about how its easy to crack them, I'm just trying to say it's better to be safe then sorry.

At 6/8/06 01:57 AM, bigftballjock wrote: and of course and very good host.

hm... no, why would you need a host (do you mean a website host ?) to do that ?

bruteforcing (yes thats how you must do it).

Bruteforcing is not cracking ;)

I'm just trying to say it's better to be safe then sorry.

Yeah i agree, and in fact you are right that using several hashing methods together is a bit more secure, because :
1. if the guy has the hash but not the method, it will be very very harder to figure out the original string
2. if the guy has the hash and the method, he'll have to write his own bruteforcer, and it will run slower than a simple md5 cause he'll have to use several hashes
But, anyway in the second case, it will just make it a bit longer to find the password if it's too simple.

and now the answers so that you don't think I was trying to use your knowledge to crack passwords I don't know ;)
edb707ff4d481f274d360e8cff32d2ff is 8WùýWXïu$éMeaÓönW
7e4f29b77429202024e916268abc41ba is skate (found in a few (milli)seconds by bruteforcing or dictionary btw)

There's a very well working PHP class that encrypts a cookie. It's fast and secure, you can find more information about it here.

Why don't you make your own encryption?
Example:

<?php
function encryptThis($string) {
$string = str_replace("a", "8cnxu6&ldsn3", $string);
return $string;
}
?>
You can do that for all letters. :)

hm... no, why would you need a host (do you mean a website host ?) to do that ?

bruteforcing (yes thats how you must do it).

Bruteforcing is not cracking ;)

It's all the same :)

and now the answers so that you don't think I was trying to use your knowledge to crack passwords I don't know ;)
edb707ff4d481f274d360e8cff32d2ff is 8WùýWXïu$éMeaÓönW
7e4f29b77429202024e916268abc41ba is skate (found in a few (milli)seconds by :bruteforcing or dictionary btw)

Bah, I got 8W__WXïu$_M for the first password, (stupid host wouldn't continue without timeouting) and I forgot to check for those fancy accented letters.

Iv'e been programming in C++ for years and read up on all kinds of cryptography and code exploitation. A md5 is NOT easy to crack and it's not just 'a couple for else loops' ROFL! wow... No offense but youv'e obviously never coded a bruteforcer nor do you know how one functions.... Bruteforcing would take years for a password like '893&*#$cRACkMe!!()_$^DidN't&ThinKSo**' So please quit arguing over an issue when google would back me up on this :P

7e4f29b77429202024e916268abc41ba comes to skate, btw.

MD5 cracking is very easy.

;-)

Oh really? Crack this then Rez and i'll pay for your webhost for a year and give you $150 USD....
There is your motivation and since it's so easy do it:
45fce2d3018170ca68bc550160bfbcf8

At 6/8/06 02:51 PM, Rellizate wrote: 7e4f29b77429202024e916268abc41ba comes to skate, btw.
MD5 cracking is very easy.
;-)

I hope it was a joke, because otherwise you are telling us that you didn't read my post dated 6/8/06 03:35 AM :p

At 6/8/06 02:00 PM, bigftballjock wrote:

Bruteforcing is not cracking ;):

It's all the same :)

Well, maybe it's just a matter of vocabulary, but by cracking I would rather mean "find an algorithm that can reverse the encryption" (implying without having to use bruteforce, at approximately the same speed as the encryption process)

At 6/8/06 02:05 PM, Jcrypt wrote: Iv'e been programming in C++ for years and read up on all kinds of cryptography and code exploitation. A md5 is NOT easy to crack and it's not just 'a couple for else loops' ROFL! wow... No offense but youv'e obviously never coded a bruteforcer nor do you know how one functions.... Bruteforcing would take years for a password like '893&*#$cRACkMe!!()_$^DidN't&ThinKSo**' So please quit arguing over an issue when google would back me up on this :P

It may not be easy for YOU to crack, but to others it might be, it's all in experience and knowledge.

And you can decrypt a md5 through a hell of a lot of forelse loops but takes a hell of a long time to do so. So it might not be bruteforcing in your mind but, in a way it is. And google backing you up, wow, search for something and you'll get about 50,000 different OPINIONS on it. So technically google can't back you up on it.

rainbows are so colorful and wonderful and grand.

At 6/8/06 04:53 PM, patheticcockroach wrote: I hope it was a joke, because otherwise you are telling us that you didn't read my post dated 6/8/06 03:35 AM :p

It was a joke...

:D

At 6/9/06 09:14 AM, Rellizate wrote: It was a joke...

D

ah ok, that's what I thought was most probable but I just wanted to make sure... I don't like when ppl post things that make me think they didn't read at all what I wrote before :)

At 6/8/06 11:00 PM, taylorwilsdon wrote: rainbows are so colorful and wonderful and grand.

Seconded, Rainbow Tables are a much more powerful way to obtain an md5 hash

At 6/8/06 10:51 PM, bigftballjock wrote: It may not be easy for YOU to crack, but to others it might be, it's all in experience and knowledge.

I can tell you this. If you don't have access to a super computer like IBM Blue Gene with 131072 processors, it will take you several life times to decrypt even a normal length password. So how "experienced" you are really dosn't mather, it's all about processing power.

BUT! there's a very easy way if you have access to a fairly large database with passwords and only need get to one of those accounts. Most users are stupid, they don't think: "oh noes, better make a really complicated password so I don't get hacked". It's rather: "better make something I can remember". That's why "asdf" might be the password to rule them all.

With this in mind, all you need to do is find the md5 for "asdf", "qwerty" or any other easily remembered password. Give it a search through the database, and you're almost guaranteed success.

$password = md5(sha1(base64_encode(md5(base64_encode(s
ha1(base64_encode("password here")))))));

would that work :D

WTF why use 100 functions to secure a fucking hash

$pass = sha1(md5($pass));

EDN. Its up to the user to make a reasonable password. Who the hell is goigg to crack a 32 character long sha1. EDN.