hyperic
Closed Thread
Page 5 of 5 FirstFirst ... 345
Results 61 to 67 of 67

Thread: How to Double Dutch (PHP)

  1. #61
    Join Date
    Jan 2008
    Posts
    140
    this thread owns in so many levels... haha i read it from pst * through now lol haha this is great
    Yes..i do wear a grey hat... and don't plan on changing to white or black..

  2. #62
    Join Date
    Sep 2006
    Posts
    1,649
    Hehe, this thread does bring back memories. I thought I actually had a chance against the powers of SyntaX******. They don't call him that just for fun, you know

    EDIT: Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread.
    Last edited by Moonbat; 04-23-2008 at 10:28 PM.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  3. #63
    Join Date
    Jan 2005
    Posts
    623
    Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread.
    Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure!
    [url=http://www.syntax******.info/tools/services.php]Speed Up Windows XP[/url]
    [url=http://www.syntax******.info/tools/ip.php]Get An Ip Address[/url]
    [url=http://www.syntax******.info/tools/base_converter.php]Base Converter[/url]
    --------------------------------
    [URL=http://www.boninroad.com/syntax******/]Old Site[/URL]
    [URL=http://www.syntax******.info]Comming Soon[/URL]

  4. #64
    Join Date
    Sep 2006
    Posts
    1,649
    Quote Originally Posted by SyntaX****** View Post
    Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure!
    I didn't mean my last post in this sense.

    What I meant was, before I really didn't know alot of PHP so it was just a bunch of code, but now after learning a good deal of PHP I can actually understand most of the code.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  5. #65
    Join Date
    Aug 2007
    Posts
    122

    Homemade Hash Recipe

    Security by obscurity is OK sometimes.

    Securing login data by using SHA* or MD5 is good.
    If done carefully, brute force guessing can be essentially neutralized.

    For example, code like
    Code:
    md5(sha*(sha*(md5(md5(sha*("aa"))))))
    seems excessive.

    A simpler way is simply to use an arbitrary, but consistent, rule to modify the hash in a way known ONLY to you and no other. Without this secret info, no amount of ordinary brute force will crack the hash in any practical time period. Mission accomplished.


    Code:
    $hash =  md5("John");
    When I execute this, it returns

    $hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"



    Instead of leaving it that way, you could apply a 'private rule', such as swapping the **th character with the final character of the hash string before storing it.

    In the above example

    $hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"

    would become:

    "6*40*aa*fd47f4a5**2de2*cbf5*a*6d"

    Brute force will NOT find 'John' from this hash.

    The **th character 'f' was swapped with the final character 'd' to break the brute force method.

    Before comparing, we repeat the swap, to restore the hash to normal.


    ANY SIMPLE RULE WILL DO
    It can be ANY simple convenient rule that transparently alters the hash from its original sequence but can be easily undone to restore the original hash.

    To use the hash, simply reverse the process before comparing it. If someone stole your password list encrypted in this manner, would it simply occur to them to swap the **th and the final characters prior to attempting to crack it by brute force? Not likely.

    The change is essentially invisible and without that special prior knowledge of the required minor change, nobody is likely to crack the hash. It's like the secret ingredient your mum uses in a recipe. Even if Russian spies steal her recipe, they still don't know about the secret ingredient not mentioned and will not get exactly the same result without it.

    This is a case where security by obscurity is OK, very simple and quite effective.

    The programming of this method is not difficult and its power and effectiveness lies in making sure that ONLY YOU know the secret of the hash.

    I do the same with PGP encryption too. I have to change * characters before PGP can be decrypted. Knowing the pass phrase is not enough in itself if you don't know which * characters to change first prior to decryption.

    Knowledge is power, and secret knowledge is even greater power.
    Last edited by JayT; 04-25-2008 at 02:23 PM.
    Oh to be free, so blissfully free, of the ravages of intelligence, there is no greater joy! - The Cweationist's Cweed

    All that is necessary for evil to triumph is a good PR firm.
    Very funny, Scotty. Now beam down my clothes!

  6. #66
    Join Date
    Sep 2006
    Posts
    1,649
    While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.
    "Workers of the world unite; you have nothing to lose but your chains." -Karl Marx

  7. #67
    Join Date
    Aug 2007
    Posts
    122

    Salt

    Quote Originally Posted by Moonbat View Post
    While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.
    The doctor told me to cut down on salt.
    LOL

    However, I don't think that salting a hash is any simpler to program than simply swapping 2 characters within a hash string.

    That was a simple method I used with PGP before I heard of salting. One or two secretely altered characters and PGP and several other kinds of text-based encryptions are effectively immunized against brute force.

    So simple, a Geico Salesman can do it!

    Yadayadayada

    Oh to be free, so blissfully free, of the ravages of intelligence, there is no greater joy! - The Cweationist's Cweed

    All that is necessary for evil to triumph is a good PR firm.
    Very funny, Scotty. Now beam down my clothes!

Closed Thread

Similar Threads

  1. Double VPN/VPN-Service/Best OPENVPN GUI
    By AnonymousVPN in forum General discussion
    Replies: 0
    Last Post: 04-04-2013, 11:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts