Comments on: MD5 My Passwords, for f*ck’s sake http://www.jeffkee.com/web-development-design/md5-php-user-database-security/ Wed, 17 Mar 2010 14:41:01 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Bill Compton http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-11353 Bill Compton Mon, 04 Jun 2007 23:04:14 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-11353 Hi Jim. Photos i received. Thanks Hi Jim. Photos i received. Thanks

]]> By: Password News » Blog Archive » MD5 My Passwords, for f*ck’s sake http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-1808 Password News » Blog Archive » MD5 My Passwords, for f*ck’s sake Thu, 22 Mar 2007 23:12:21 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-1808 [...] See more here: Password Topics [...] [...] See more here: Password Topics [...]

]]> By: Paul Butler http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-1801 Paul Butler Thu, 22 Mar 2007 18:59:43 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-1801 Actually, the bookmarklet prompts you for your password and inserts the generated password into the password input. Or if you are lazy like me, you can have the bookmarklet store the master password. I have been using it for months now and it's great. I still memorize a few passwords for things like email and paypal, so that I can change them periodically. Actually, the bookmarklet prompts you for your password and inserts the generated password into the password input. Or if you are lazy like me, you can have the bookmarklet store the master password. I have been using it for months now and it’s great. I still memorize a few passwords for things like email and paypal, so that I can change them periodically.

]]> By: Jeff Kee - Stupid People » Nice4Rice.com http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-1794 Jeff Kee - Stupid People » Nice4Rice.com Thu, 22 Mar 2007 17:24:39 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-1794 [...] you were to hop over to the Jeff Kee Consulting blog, you might catch Jeff going off on dumb websites that don’t encrypt your passwords, that is they store the original password on their servers and in some cases even email it back to [...] [...] you were to hop over to the Jeff Kee Consulting blog, you might catch Jeff going off on dumb websites that don’t encrypt your passwords, that is they store the original password on their servers and in some cases even email it back to [...]

]]> By: Jeff Kee http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-1606 Jeff Kee Thu, 22 Mar 2007 00:37:00 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-1606 oh thats brilliant. So basically it hashes it again before sending to the other side? Ya, cause passwords still can be picked up upon logon unless you use a client-side javascript to hash the string before the POST action begins. oh thats brilliant.

So basically it hashes it again before sending to the other side?

Ya, cause passwords still can be picked up upon logon unless you use a client-side javascript to hash the string before the POST action begins.

]]> By: Paul Butler http://www.jeffkee.com/web-development-design/md5-php-user-database-security/comment-page-1/#comment-1605 Paul Butler Thu, 22 Mar 2007 00:30:03 +0000 http://blog.jeffkee.com/2007/03/21/md5-php-user-database-security/#comment-1605 Storing passwords in plaintext is bad security practice, but so is using a similar password for multiple sites. For example, if you sign up for a site with the same password you use for your email, if the service provider is malicious he could get into your email. The solution: Hash the password on your side using the domain as a salt. Here is a bookmarklet to do just that: http://labs.zarate.org/passwd/ . I only have to remember one password, but the sites only receive a hashed version so they have no way of knowing what it is (aside from a dictionary attack, but how likely is that). Storing passwords in plaintext is bad security practice, but so is using a similar password for multiple sites. For example, if you sign up for a site with the same password you use for your email, if the service provider is malicious he could get into your email.

The solution: Hash the password on your side using the domain as a salt. Here is a bookmarklet to do just that: http://labs.zarate.org/passwd/ . I only have to remember one password, but the sites only receive a hashed version so they have no way of knowing what it is (aside from a dictionary attack, but how likely is that).

]]>