Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)

["Noam Eppel" <noameppel () hotmail com>]

Hello Mike,

If you are implementing a one-way hash correctly, there should be no need to 
store the plaintext passwords. All that should be stored is the resulting 
hash of each password.

For example, if the plaintext password is, "secretpassword" the MD5 hash of 
that password would be, "31435008693ce6976f45dedc5532e2c1".

That hash can be stored in the user database instead of a password. The 
advantage of this is that if the confidentiality of that database is 
compromised, no passwords will be revealed. There is no feasible way to 
reverse a one-way hash function to reveal the plaintext password.

To authenticate users, you would take the user-submitted password (ex. 
"secretpassword") and perform the same hash function. The resulting hash 
should match the hash stored in the database.

Regards,

Noam Eppel
www.noameppel.com


> From: mike () sharecube com
> To: webappsec () securityfocus com
> Subject: Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual 
> Keyboard Protection)
> Date: 17 Aug 2005 00:59:38 -0000
>
>
> The purpose of MD5 password encoding has almost nothing to do with 
> protection of the password field.
>
> The entire password has to have been entered and stored somewhere before 
> the MD5 encryption can be performed. That somewhere can be spied upon.
>
> MD5 password protection is used to insure that the submitted contents are 
> NOT from a bot trying to play a logon attack. It is a sort of CAPTCHA 
> protection since the logon must come from logon form on the implemented web 
> site.
>
> Mike
> www.sharecube.com