MD5 hash requested against user passwords December 14, 2006 1:06 PM   Subscribe

Given the trouble of certain sites, maybe we should also all look at another problem that they have experienced, and make sure we ourselves do not need to send out such alerts. A simple MD5 hash against your user passwords in your database keep them much more secure than holding them plain text.
posted by SirStan to Feature Requests at 1:06 PM (21 comments total) 1 user marked this as a favorite

I would assume MetaFilter stores my password plaintext based on this email:

You requested your MetaFilter password, and that is: iloveaol

Login with your username and password here:
http://www.metafilter.com/login/

posted by SirStan at 1:20 PM on December 14, 2006


Yes, there's no reason to store these plain text. Concatenating the password with a secret string before hashing would add additional security.
posted by null terminated at 1:35 PM on December 14, 2006


Yeah, I can revamp the passwords to make them more secure. I stuck with simple because it was easy and it worked, but I could see how it'd be a problem going forward with a community of this size.
posted by mathowie (staff) at 2:06 PM on December 14, 2006


Why not ask for a really outlandish pony, like the ability to change your password?

Raise your hand if you've ever changed your Mefi password. What, nobody? Now that's bad security.
posted by dmd at 2:06 PM on December 14, 2006


Yes Please. *reflects woefully on ridiculously weak password.*
posted by Mitheral at 2:14 PM on December 14, 2006


Raise your hand if you've ever changed your Mefi password.

Hey, man, "password" has worked for me so far. Why in god's name would I change it now?
posted by cortex at 2:15 PM on December 14, 2006


Because "iloveaol" is so much sweeter.
posted by It's Raining Florence Henderson at 2:20 PM on December 14, 2006


A simple MD5 hash against your user passwords in your database keep them much more secure than holding them plain text.

Nonreversible encryption would prevent the site from being able to send you your password when you forgot it. Which would be fine if the site gave you the ability to create a new one instead. It's easy to write code to do this -- the standard technique is to send an email to the user's address of record with a URL containing a temporary key which they can use to reset their password. Last time I wrote this from scratch it took less than an hour. Just be sure to make the key long (a random 64-bit number represented as a hex string ought to do it) and to code it to disable/destroy the temporary key under the following circumstances:
  • A set amount of time elapses, say, something between 24 and 72 hours
  • The user follows the URL and creates their new password successfully
  • The user logs in successfully using their old password (they'd forgotten it, or someone other than the user performed the request)
  • The request is made again and another key sent
posted by George_Spiggott at 2:24 PM on December 14, 2006


Hey, man, "password" has worked for me so far. Why in god's name would I change it now?

Wow, that totally explains how "cortex" is so prolific...
posted by togdon at 2:25 PM on December 14, 2006


SirStan, your password's not working. Perhaps you mistyped it?
posted by klangklangston at 2:46 PM on December 14, 2006


Did you try unicode? It isnt utf-8.

Hashing vs. a secret key is not OK. It is reversable. If I have your database dump, and website source, I can still get all your passwords (I know that my DB dump and site source are on the same backup medium, perhaps others have a better way to handle it -- though it would protect you slightly more if your database was exposed somehow. It is still security through obscurity).

MD5 is not security through obscurity, as the passwords are non-reversibly encrypted.

The MD5 sum of my (real) password is "6fd3dd773e3ea5032102f391766a349e". Feel free to login as me if you can crack it.

Though the issue with MD5 sum is possible collisions (two passwords matching one MD5 sum).
posted by SirStan at 3:15 PM on December 14, 2006


Hey, man, "password" has worked for me so far. Why in god's name would I change it now?

Because you used it on reddit, also :P
posted by scarabic at 4:04 PM on December 14, 2006


Actually, the issue with md5 is that there are huge hash databases that make storing the password as an md5 hash without any private key an exercise in futility.
posted by SpecialK at 4:08 PM on December 14, 2006


Fine. Use SHA-256.
posted by SirStan at 4:12 PM on December 14, 2006


I read somewhere that the two most common passwords among n00bs are "sex" and "secret".
posted by Steven C. Den Beste at 4:14 PM on December 14, 2006


SirStan: who's suggesting using a secret key instead of a hash?
posted by null terminated at 4:20 PM on December 14, 2006


Steven C. Den Beste : I read somewhere that the two most common passwords among n00bs are "sex" and "secret".

Many moons ago a ran an abuse desk for a largish ISP. We dealt with password issues a lot. The most common I saw were 'secret', 'password', 'god', 'love' and because this was in Wisconsin, 'harley', 'packers' and 'gopack'.

Trying to explain the idea of password security to customers back in those days was like trying to wrangle cats.
posted by quin at 4:50 PM on December 14, 2006


My mistake..

"Concatenating the password with a secret string before hashing would add additional security."

I misread that as inferring that an encryption with a secret key would be effective. My mistake.
posted by SirStan at 5:04 PM on December 14, 2006


Previously here & here, plus one from Slashdot today for good measure.
posted by scalefree at 5:08 PM on December 14, 2006


You have failed to login correctly five times. If you'd like to try more passwords out, please wait 24 hours to try again. If this is a problem, email Matt for help.

Thanks guys. :)
posted by SirStan at 7:22 PM on December 14, 2006


Whoops.

No, it wasn't me.
posted by deborah at 7:55 PM on December 14, 2006


« Older pulling out info from pages without anchors   |   Baltimore / DC meetup Newer »

You are not logged in, either login or create an account to post comments