TalkPHP - View Single Post

SpYkE112 · 06-01-2008, 08:33 PM

I'm afraid theres a little security breach... As far as i see this piece of code:

Code:

$hash = md5(rand(0, 999));

Leaves us with 999 different hashes.. It takes a couple of milliseconds to calculate those, and voila a bot knows all the different combination and a dictionaty attack can begin... what i would do...

change it to something like:

Code:

$hash = md5(rand(0, 999*10^10000));

That should leave us with a whole lot more combinations, acutally 999 + 10002 zeros :)

But thats probaly the easy way... I would rather make a pattern with lower case, upper case and chars which should be approx 65 chars, then i would calculate a string with like 32 chars and hash it and then substr it.. Should make it even more bot secure ;)

06-01-2008, 08:33 PM	#14 (permalink)
SpYkE112 The Contributor Join Date: May 2008 Location: Denmark Posts: 70 Thanks: 3	I'm afraid theres a little security breach... As far as i see this piece of code: Code: $hash = md5(rand(0, 999)); Leaves us with 999 different hashes.. It takes a couple of milliseconds to calculate those, and voila a bot knows all the different combination and a dictionaty attack can begin... what i would do... change it to something like: Code: $hash = md5(rand(0, 999*10^10000)); That should leave us with a whole lot more combinations, acutally 999 + 10002 zeros :) But thats probaly the easy way... I would rather make a pattern with lower case, upper case and chars which should be approx 65 chars, then i would calculate a string with like 32 chars and hash it and then substr it.. Should make it even more bot secure ;)