How do big companies like VB store passwords?

Aaron · 04-24-2008, 10:07 PM

How does VBulletin or Paypal store their passwords? Can you tell me in a way that I can copy? :P

Village Idiot · 04-24-2008, 10:45 PM

Passwords for what? They store the database passwords in a file and most of the others in the database. I've never seen paypal's source, so I dont know what they do.

Aaron · 04-24-2008, 10:48 PM

like, database passwords.

does vb like... do salt first, or even use a salt? do they combine md5 with sha1 or do they use one or the other?

Village Idiot · 04-24-2008, 10:49 PM

Quote:

Originally Posted by Aaron

like, database passwords.

does vb like... do salt first, or even use a salt? do they combine md5 with sha1 or do they use one or the other?

No, VB has their DB password in a PHP file, completely unencrypted.

Orc · 04-24-2008, 10:50 PM

Quote:

Originally Posted by Village Idiot

No, VB has their DB password in a PHP file, completely unencrypted.

and yet, that's one of the great forum softwares. ;P i dunno

Durux · 04-24-2008, 10:50 PM

My bet is that Paypal uses an encryption for their data and not Hash and salt.
Can be wrong, but i don't think that a site as Paypal can't afford not to be as safe as possible.

Village Idiot · 04-24-2008, 10:51 PM

Quote:

Originally Posted by Orc

and yet, that's one of the great forum softwares. ;P i dunno

What do you mean? It is not a security risk to have it in the PHP file. Its not like anyone can view the source.

Orc · 04-24-2008, 10:51 PM

Quote:

Originally Posted by Village Idiot

What do you mean? It is not a security risk to have it in the PHP file. Its not like anyone can view the source.

well yes but. nevermind

Aaron · 04-24-2008, 11:04 PM

I mean like the database password for users. Do they shai($username . $salt) or what?

Village Idiot · 04-24-2008, 11:06 PM

Quote:

Originally Posted by Aaron

I mean like the database password for users. Do they shai($username . $salt) or what?

Users dont have database passwords.... If what you mean is their login passwords, they are encrypted, I think via sha1.

Aaron · 04-24-2008, 11:07 PM

just sha1, or do they use a salt? Is the salt before or after the password? :/

Village Idiot · 04-24-2008, 11:14 PM

Quote:

Originally Posted by Aaron

just sha1, or do they use a salt? Is the salt before or after the password? :/

I dont know. Sha1 is sufficient, it is a destructive algorithm. There are rumors that it has been cracked by a group of Chinese hackers, but I'm not sure I believe it.

Aaron · 04-24-2008, 11:33 PM

VB does

Code:

md5(md5($password) . $salt);

Weird... Why use that?

delayedinsanity · 04-24-2008, 11:43 PM

There's way better encryption than MD5 and SHA1, and if it was needed could easily be implemented, but for one problem. At least in this country, which like it or not has a heavy hand when leaning on other countries to do the same - the government doesn't want the public to have stronger encryption, because then they risk the possibility that they won't be able to crack civilian communications when ever necessary. </today's fun little conspiracy factoid>
-m

Orc · 04-25-2008, 12:13 AM

Quote:

Originally Posted by Aaron

VB does

Code:

md5(md5($password) . $salt);

Weird... Why use that?

that's nothing, I use zlib compression, and the hash function which allows sha256, and many more, I also use substring, and more.

TlcAndres · 04-25-2008, 01:02 AM

The reason they use something like that is first there something called rainbow tables or glorified brute forces that try and guess your password, add a salt and it gets that much harder but they can add the salt to the list and have them md5 that now md5 the password then salt it and md5 it and it just's that much harder to crack...

In the end MD5 and SHA1 have been cracked because computers can't do true random numbers (they're based off algoritms like the twister) and thus reversible. so if a team of determined hackers want your password than they will get them, the only true way to be secure from network intrusion is to black box it - I find security to be more a game of "Tire out the hacker" then "Keep the hacker out" (I refrain from using "he" or "him" because some girls are very nasty hackers..)

Orc · 04-25-2008, 01:05 AM

Quote:

Originally Posted by TlcAndres

The reason they use something like that is first there something called rainbow tables or glorified brute forces that try and guess your password, add a salt and it gets that much harder but they can add the salt to the list and have them md5 that now md5 the password then salt it and md5 it and it just's that much harder to crack...

In the end MD5 and SHA1 have been cracked because computers can't do true random numbers (they're based off algoritms like the twister) and thus reversible. so if a team of determined hackers want your password than they will get them, the only true way to be secure from network intrusion is to black box it - I find security to be more a game of "Tire out the hacker" then "Keep the hacker out" (I refrain from using "he" or "him" because some girls are very nasty hackers..)

Rainbow tables are only good if you already know the password.

Village Idiot · 04-25-2008, 02:31 AM

Quote:

Originally Posted by TlcAndres

The reason they use something like that is first there something called rainbow tables or glorified brute forces that try and guess your password, add a salt and it gets that much harder but they can add the salt to the list and have them md5 that now md5 the password then salt it and md5 it and it just's that much harder to crack...

In the end MD5 and SHA1 have been cracked because computers can't do true random numbers (they're based off algoritms like the twister) and thus reversible. so if a team of determined hackers want your password than they will get them, the only true way to be secure from network intrusion is to black box it - I find security to be more a game of "Tire out the hacker" then "Keep the hacker out" (I refrain from using "he" or "him" because some girls are very nasty hackers..)

MD5 was cracked a while ago, there are only rumors of sha1 being cracked. Sha1 nor MD5 use random algorithms because they must come out with the same result every time. They destroy the original value, meaning that even if you can reverse the process, there are unlimited possibilities of what it could be. If you dont have a short or dictionary word password, the hacker wont know one from another. Using two or more wont render much since anyone experienced enough to crack it once would catch on to what it was and just do the process again.

Mathew · 04-26-2008, 07:28 PM

For my projects I use a combination of 2 salts (1 Static, 1 Dynamic). When a user registers to my website the backend will generate a random salt key for each user. Even if 2 different users register to my website with the same password, the resulting hash will be different.

So if the database was ever hacked or stolen, they would be missing the static salt key, thus it would prove to be impossible for them to bruteforce any of the passwords.

However I'll touch wood, just incase.

delayedinsanity · 04-26-2008, 07:34 PM

1 dynamic? How do you go about that, if I may ask? As far as I understand you need the same SALT to unhash as you use in the hash, so don't you have to store the dynamic one somewhere?
-m