WebApp Sec mailing list archives

Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)

From: mike () sharecube com
Date: 17 Aug 2005 00:59:38 -0000


The purpose of MD5 password encoding has almost nothing to do with protection of the password field.

The entire password has to have been entered and stored somewhere before the MD5 encryption can be performed. That 
somewhere can be spied upon. 

MD5 password protection is used to insure that the submitted contents are NOT from a bot trying to play a logon attack. 
It is a sort of CAPTCHA protection since the logon must come from logon form on the implemented web site.

Mike
www.sharecube.com

Current thread:

Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 16)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
  - Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
    - Re: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Chuck (Aug 17)
    - Re: MD5 Password encoding, "straight" vs "salted" hashes Peter Watkins (Aug 17)
  - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Thomas Chiverton (Aug 17)
- <Possible follow-ups>
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Cyrill Osterwalder (Aug 17)
  - RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Bond Masuda (Aug 17)
  - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Gary Gwin (Aug 18)
    - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Jean-Jacques Halans (Aug 22)
    - Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Serban Ghita (Aug 23)

(Thread continues...)