Jump to content

password sniffing !!!


hassank1

Recommended Posts

Use https

 

However, you need to consider the likelyhood of someone tryng to infiltrate your application and the value of that information. If it's just a gaming site there is no need for such security. If it's a banking site, it sure as hell better be using https.

 

The most common method of gaining unauthorrized access is not through packet sniffing - it is through social engineering.

Link to comment
Share on other sites

Https and MD5 egnouph said

 

md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected.

 

This is why a lot of banks and  higher up sites are using the 2 page login where page 1 is username only page 2 is password only with confirmation image to prevent this stuff

 

Link to comment
Share on other sites

You'll get the error message every time because it isn't a signed certificate.  The blank page should be unrelated, does the page work without the https?

 

yeah it works normally without https ... however now am getting a 404 page not found when using https://

Link to comment
Share on other sites

Https and MD5 egnouph said

 

md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected.

 

Well, I will disagree with MD5, but for the complete opposite reason. MD5 is not an encryption - it is a one-way hash. We are talking about protecting the password when being transmitted from the client to the server. So, what would you do use JavaScript to hash with MD5? That's not very user friendly. Then someone could simply "capture" the MD5 value and force their submission to send that value.

 

As for being able to decrypt MD5, that is a misnomer. Yes, there are "lookup" tables where you can enter an MD5 value and it will return the value used to create that MD5 value. But, that is only because someone created that pair of values and entered it into the database. That would work to unencode/decrypt anything.

 

Also, there is a finite number of MD5 values, but you can generate an MD5 values from an infinite number of source values. So, just because a lookup table says the hash was created from value x is not definitive.

Link to comment
Share on other sites

there was a person here who posted their md5 hash for their phpfreaks account it was hacked fairly easily.

 

You have to realize powerfuler languages than php exist that can run through rainbow tables (Proper Name) In a much better and systematic way.

 

Again, that is not a valid statement. Let's say you have the super most uber encryption algorithym possible. I could still create something to run through possible combinations for passwords and create a rainbow table. So, in that respect no algorithym is better than another. The reason that passwords are "fairly" easy to crack from an MD5 (or anything else) is that passwords are typically restriced to a small number of characters (say 20). Plus, people tend to use proper words. So, creating a process to generate all the combinatins only takes time.

 

However, if you take away those limitations, then there is no way to crack, unecrypt, or decypher an MD5 hash. This page explains why. MD5 is not collision resistent. That is bad news for some uses of MD5. But, that also means it is impossible to determine what was used to create an MD5 hash (unless you throw in restrictive limitations).

Link to comment
Share on other sites

I don't think you understand what a packet sniffer is.

 

It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode.

 

Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system.

 

Paranoid is fine, just don't overdo it.

Link to comment
Share on other sites

md5 = not much because it can be decrypted fairly easily

 

I was under the impression that md5 couldn't be decrypted. But this site seems to have an md5 decrypter built in:

 

http://www.hashmash.com/

 

I dont use md5 though, I use sha1. Can someone test out a couple md5 encyrptions (that weren't generated on that site) to see if its accurate or not?

Link to comment
Share on other sites

I don't think you understand what a packet sniffer is.

 

It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode.

 

Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system.

 

Paranoid is fine, just don't overdo it.

 

man I know what packet sniffing is !! and if I didn't try to sniff my network for testing I was not going to ask this question !!

Link to comment
Share on other sites

It inpossable to stop packet sniffing dosent matter what admin skills u got,

There are to meny ports open to vandilize, we use ports needed for aps that are open to

sniffing that no one can do nothink about except run a ssl across them or shut them off....

 

 

when it comes to php just use my example or install a program called mcript..........

 

http://phprpms.sourceforge.net/mcrypt

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.