password sniffing !!!

[hassank1]

hey !

when posting username and password in a login system and pressing submit .. the password could be detected using a packet sniffer ! which I think is a serious issue !!

 

so how this problem could be fixed ?

[Psycho]

Use https

 

However, you need to consider the likelyhood of someone tryng to infiltrate your application and the value of that information. If it's just a gaming site there is no need for such security. If it's a banking site, it sure as hell better be using https.

 

The most common method of gaining unauthorrized access is not through packet sniffing - it is through social engineering.

[hassank1]

ok thx for the info

 

is https the only way ?

 

would you please provide me with some info about how to use https ?

 

[Crew-Portal]

Https and MD5 egnouph said

[hassank1]

ok I see..but how can I use/enable https .. !

[p2grace]

Hmm some servers have it built into the install, what happens when you go to your website at https://www.website.com instead of http?

[hassank1]

ok well I've got a messagebox .. which say say certificate didn't match site name , and something like that .. then do u want to contiue ? I pressed yes ..

so then the only thing I've got was a blank page

[p2grace]

You'll get the error message every time because it isn't a signed certificate.  The blank page should be unrelated, does the page work without the https?

[cooldude832]

Https and MD5 egnouph said

 

md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected.

 

This is why a lot of banks and  higher up sites are using the 2 page login where page 1 is username only page 2 is password only with confirmation image to prevent this stuff

 

[hassank1]

You'll get the error message every time because it isn't a signed certificate.  The blank page should be unrelated, does the page work without the https?

 

yeah it works normally without https ... however now am getting a 404 page not found when using https://

[p2grace]

Hmm is this server hosted by a hosting company, or are you the administrator of the server?

[hassank1]

hosting company

[p2grace]

Then I would contact them about the https setup.

[hassank1]

that's what am trying to do ..

[Caesar]

If you have not purchased an SSL certificate you'll have to see about using a shared one from your host.

[Psycho]

Https and MD5 egnouph said

 

md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected.

 

Well, I will disagree with MD5, but for the complete opposite reason. MD5 is not an encryption - it is a one-way hash. We are talking about protecting the password when being transmitted from the client to the server. So, what would you do use JavaScript to hash with MD5? That's not very user friendly. Then someone could simply "capture" the MD5 value and force their submission to send that value.

 

As for being able to decrypt MD5, that is a misnomer. Yes, there are "lookup" tables where you can enter an MD5 value and it will return the value used to create that MD5 value. But, that is only because someone created that pair of values and entered it into the database. That would work to unencode/decrypt anything.

 

Also, there is a finite number of MD5 values, but you can generate an MD5 values from an infinite number of source values. So, just because a lookup table says the hash was created from value x is not definitive.

[cooldude832]

there was a person here who posted their md5 hash for their phpfreaks account it was hacked fairly easily.

 

You have to realize powerfuler languages than php exist that can run through rainbow tables (Proper Name) In a much better and systematic way.

[Psycho]

there was a person here who posted their md5 hash for their phpfreaks account it was hacked fairly easily.

 

You have to realize powerfuler languages than php exist that can run through rainbow tables (Proper Name) In a much better and systematic way.

 

Again, that is not a valid statement. Let's say you have the super most uber encryption algorithym possible. I could still create something to run through possible combinations for passwords and create a rainbow table. So, in that respect no algorithym is better than another. The reason that passwords are "fairly" easy to crack from an MD5 (or anything else) is that passwords are typically restriced to a small number of characters (say 20). Plus, people tend to use proper words. So, creating a process to generate all the combinatins only takes time.

 

However, if you take away those limitations, then there is no way to crack, unecrypt, or decypher an MD5 hash. This page explains why. MD5 is not collision resistent. That is bad news for some uses of MD5. But, that also means it is impossible to determine what was used to create an MD5 hash (unless you throw in restrictive limitations).

[awpti]

I don't think you understand what a packet sniffer is.

 

It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode.

 

Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system.

 

Paranoid is fine, just don't overdo it.

[haku]

md5 = not much because it can be decrypted fairly easily

 

I was under the impression that md5 couldn't be decrypted. But this site seems to have an md5 decrypter built in:

 

http://www.hashmash.com/

 

I dont use md5 though, I use sha1. Can someone test out a couple md5 encyrptions (that weren't generated on that site) to see if its accurate or not?

[redarrow]

<?php

$name="god";

$result1=md5(sha1(md5($name))); // hard to decript

$result=md5($name); // easy decrpted

echo " easy to decript this > $result not so easy this > $result1";

// try to decript the hard one mate.

?>

[hassank1]

I don't think you understand what a packet sniffer is.

 

It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode.

 

Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system.

 

Paranoid is fine, just don't overdo it.

 

man I know what packet sniffing is !! and if I didn't try to sniff my network for testing I was not going to ask this question !!

[redarrow]

I agree there meny websites built to decript the md5 hashing function but try my hard way......

 

The common words are easy to decript for md5 but not unusall words............

[redarrow]

It inpossable to stop packet sniffing dosent matter what admin skills u got,

There are to meny ports open to vandilize, we use ports needed for aps that are open to

sniffing that no one can do nothink about except run a ssl across them or shut them off....

 

 

when it comes to php just use my example or install a program called mcript..........

 

http://phprpms.sourceforge.net/mcrypt

[cooldude832]

I wrote what packet sniffing was, and the md5 was a separate issue.

 

MD5 is uncrackable because its hashed value is greater than or equal to the original thus it is faster to brute the unencrypted than encrypted therortically.