hassank1 Posted April 10, 2008 Share Posted April 10, 2008 hey ! when posting username and password in a login system and pressing submit .. the password could be detected using a packet sniffer ! which I think is a serious issue !! so how this problem could be fixed ? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/ Share on other sites More sharing options...
Psycho Posted April 10, 2008 Share Posted April 10, 2008 Use https However, you need to consider the likelyhood of someone tryng to infiltrate your application and the value of that information. If it's just a gaming site there is no need for such security. If it's a banking site, it sure as hell better be using https. The most common method of gaining unauthorrized access is not through packet sniffing - it is through social engineering. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-513969 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 ok thx for the info is https the only way ? would you please provide me with some info about how to use https ? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-513982 Share on other sites More sharing options...
Crew-Portal Posted April 10, 2008 Share Posted April 10, 2008 Https and MD5 egnouph said Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514024 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 ok I see..but how can I use/enable https .. ! Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514042 Share on other sites More sharing options...
p2grace Posted April 10, 2008 Share Posted April 10, 2008 Hmm some servers have it built into the install, what happens when you go to your website at https://www.website.com instead of http? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514046 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 ok well I've got a messagebox .. which say say certificate didn't match site name , and something like that .. then do u want to contiue ? I pressed yes .. so then the only thing I've got was a blank page Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514059 Share on other sites More sharing options...
p2grace Posted April 10, 2008 Share Posted April 10, 2008 You'll get the error message every time because it isn't a signed certificate. The blank page should be unrelated, does the page work without the https? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514142 Share on other sites More sharing options...
cooldude832 Posted April 10, 2008 Share Posted April 10, 2008 Https and MD5 egnouph said md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected. This is why a lot of banks and higher up sites are using the 2 page login where page 1 is username only page 2 is password only with confirmation image to prevent this stuff Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514147 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 You'll get the error message every time because it isn't a signed certificate. The blank page should be unrelated, does the page work without the https? yeah it works normally without https ... however now am getting a 404 page not found when using https:// Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514156 Share on other sites More sharing options...
p2grace Posted April 10, 2008 Share Posted April 10, 2008 Hmm is this server hosted by a hosting company, or are you the administrator of the server? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514162 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 hosting company Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514164 Share on other sites More sharing options...
p2grace Posted April 10, 2008 Share Posted April 10, 2008 Then I would contact them about the https setup. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514169 Share on other sites More sharing options...
hassank1 Posted April 10, 2008 Author Share Posted April 10, 2008 that's what am trying to do .. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514173 Share on other sites More sharing options...
Caesar Posted April 10, 2008 Share Posted April 10, 2008 If you have not purchased an SSL certificate you'll have to see about using a shared one from your host. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514208 Share on other sites More sharing options...
Psycho Posted April 10, 2008 Share Posted April 10, 2008 Https and MD5 egnouph said md5 = not much because it can be decrypted fairly easily and it also doesn't prevent data transfer issues as its still going from client to server unprotected. Well, I will disagree with MD5, but for the complete opposite reason. MD5 is not an encryption - it is a one-way hash. We are talking about protecting the password when being transmitted from the client to the server. So, what would you do use JavaScript to hash with MD5? That's not very user friendly. Then someone could simply "capture" the MD5 value and force their submission to send that value. As for being able to decrypt MD5, that is a misnomer. Yes, there are "lookup" tables where you can enter an MD5 value and it will return the value used to create that MD5 value. But, that is only because someone created that pair of values and entered it into the database. That would work to unencode/decrypt anything. Also, there is a finite number of MD5 values, but you can generate an MD5 values from an infinite number of source values. So, just because a lookup table says the hash was created from value x is not definitive. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514237 Share on other sites More sharing options...
cooldude832 Posted April 11, 2008 Share Posted April 11, 2008 there was a person here who posted their md5 hash for their phpfreaks account it was hacked fairly easily. You have to realize powerfuler languages than php exist that can run through rainbow tables (Proper Name) In a much better and systematic way. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514427 Share on other sites More sharing options...
Psycho Posted April 11, 2008 Share Posted April 11, 2008 there was a person here who posted their md5 hash for their phpfreaks account it was hacked fairly easily. You have to realize powerfuler languages than php exist that can run through rainbow tables (Proper Name) In a much better and systematic way. Again, that is not a valid statement. Let's say you have the super most uber encryption algorithym possible. I could still create something to run through possible combinations for passwords and create a rainbow table. So, in that respect no algorithym is better than another. The reason that passwords are "fairly" easy to crack from an MD5 (or anything else) is that passwords are typically restriced to a small number of characters (say 20). Plus, people tend to use proper words. So, creating a process to generate all the combinatins only takes time. However, if you take away those limitations, then there is no way to crack, unecrypt, or decypher an MD5 hash. This page explains why. MD5 is not collision resistent. That is bad news for some uses of MD5. But, that also means it is impossible to determine what was used to create an MD5 hash (unless you throw in restrictive limitations). Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514438 Share on other sites More sharing options...
awpti Posted April 11, 2008 Share Posted April 11, 2008 I don't think you understand what a packet sniffer is. It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode. Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system. Paranoid is fine, just don't overdo it. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514457 Share on other sites More sharing options...
haku Posted April 11, 2008 Share Posted April 11, 2008 md5 = not much because it can be decrypted fairly easily I was under the impression that md5 couldn't be decrypted. But this site seems to have an md5 decrypter built in: http://www.hashmash.com/ I dont use md5 though, I use sha1. Can someone test out a couple md5 encyrptions (that weren't generated on that site) to see if its accurate or not? Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514472 Share on other sites More sharing options...
redarrow Posted April 11, 2008 Share Posted April 11, 2008 <?php $name="god"; $result1=md5(sha1(md5($name))); // hard to decript $result=md5($name); // easy decrpted echo " easy to decript this > $result not so easy this > $result1"; // try to decript the hard one mate. ?> Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514502 Share on other sites More sharing options...
hassank1 Posted April 11, 2008 Author Share Posted April 11, 2008 I don't think you understand what a packet sniffer is. It has to be attached directly to your network port or running on your server or your host has to be stupid enough to not put your server on a managed switched while allowing hosts to put their network device into promiscuous mode. Likelyhood: 0, unless your a bumpkin for a sysadmin and let people break into your system. Paranoid is fine, just don't overdo it. man I know what packet sniffing is !! and if I didn't try to sniff my network for testing I was not going to ask this question !! Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514507 Share on other sites More sharing options...
redarrow Posted April 11, 2008 Share Posted April 11, 2008 I agree there meny websites built to decript the md5 hashing function but try my hard way...... The common words are easy to decript for md5 but not unusall words............ Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514509 Share on other sites More sharing options...
redarrow Posted April 11, 2008 Share Posted April 11, 2008 It inpossable to stop packet sniffing dosent matter what admin skills u got, There are to meny ports open to vandilize, we use ports needed for aps that are open to sniffing that no one can do nothink about except run a ssl across them or shut them off.... when it comes to php just use my example or install a program called mcript.......... http://phprpms.sourceforge.net/mcrypt Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514513 Share on other sites More sharing options...
cooldude832 Posted April 11, 2008 Share Posted April 11, 2008 I wrote what packet sniffing was, and the md5 was a separate issue. MD5 is uncrackable because its hashed value is greater than or equal to the original thus it is faster to brute the unencrypted than encrypted therortically. Quote Link to comment https://forums.phpfreaks.com/topic/100502-password-sniffing/#findComment-514936 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.