Page 1 of 1
MD5 hash unsecure for passwords!
Posted: Wed Aug 05, 2015 11:05 pm
please read here:
http://php.net/manual/en/faq.passwords. ... s.fasthash
and learn, that md5 is unsuitable for password management.
Sure, your add a salt string, but a bruteforce attack is a easy, cheap and fast solution for cracking that; we don't live in a 486-world anymore...
Have a nice day
Re: MD5 hash unsecure for passwords!
Posted: Thu Sep 03, 2015 10:52 am
It's for sure correct that MD5 nowadays is not the best hashing algorithm for passwords. Feel free to improve CrazyStat, it is open source.
But I consider the way CrazyStat encrypts passwords still secure enough. First, the password only protects your website's statistics and logs. I doubt this information is worth a brute-force attack for most websites using CrazyStat.
And if an attacker gets access to the salted password stored in config_pass.php, you have got a much bigger problem anyway. The attacker can read protected files on your file system, so he can also read your log files, which is everything the password protects. Why should he bother brute-forcing the has if he can already read the information protected by it? It would only make sense if the password is also used somewhere else.
Of course if I would write this today, I would use another hashing algorithm. I would not write my own password protection, but use a proven one offered by a framework. But for what it protects, I still consider CrazyStat's login mechanism secure enough.