Once more. for people reading this list without technical expertise.... you are talking about somebody getting access to database data and wanting to decrypt password stored in there using a table lookup. In this case makes very little difference if we use MD5 or SHA512. The ability to decrypt hashed passwords is limited by the ability to peform the hashing and has nothing to do with the existence of collisions in MD5. (The existence of collisions in MD5 only affect the use of this algorithms for digital signatures, which we do not do).
The argument of MD5 vs SHA512 in this case does not stand. The only way to make the hashed password not decryptatble is by using HMAC. web2py has support for HMAC+SHA512. The reason why HMAC is better is that is hashes the password together with a user provided master password. This makes table lookup attacks unfeasible. The argument of MD5 vs HMAC+SHA512 is a very solid one. The fact is that we cannot replace the default behavior (MD5) with the better one (HMAC+SHA512) because, in order to use the latter you have to pass a parameter (the master key) to the CRYPT function. The default behavior is used when you are passing no master key. If you pass the master key CRYPT(key='whetever') web2py passwords are stored in the most secure way. Mind that none of this has anything to do with the ability of an attacker to guess the passwords to access a web2py site. This is about protecting the users form the administrators who may decrypt their hashed passords and access the users's account using their decrypted passwords (of an attacker who is already in the system and can act as the web2py administrator). But mind that the administrator does not even need to decrypt passwords to access them. He just log request.vars.password from the model file to get the login passwords before they are encrypted. This is true in web2py and in any other web based system. I am much more concerned about a different issue: when an attacker wants to enter a site and repeatedly guesses the password. Perhaps there should be an option in auth that locks accounts after many failed logins. We could have another system table to handle that. Massimo On Aug 1, 11:25 am, Francisco Gama <francisco....@gmail.com> wrote: > If you follow the first hit on the search suggested by Jonathan you > see as hardware requirements: > > * Intel-based Windows NT/2000/XP PC > * Minimum 512MB Ram recommended > * Minimum 600Mhz processor recommended > > If you check out current trends on this matter you see attackers are > often using very powerful GPU's (less than 200 dollars) or even top > cloud computing systems with compromised/malicious accounts. > > The probability of web2py applications become target of an elaborate > attack has to do with the interest you and all web2py community has in > having important organizations to use it (or not). > If organizations like big enterprises use it, then web2py will surely > be an important link of attack and possible failure, possibly breaking > its name as "rock solid" into the future. It doesn't take web2py to be > much popular to become an important target. All it takes it's an > "easyJet" company (or smaller) to find it valuable and adopt it. > This is also why I would encourage Massimo Di Pierro not to leave such > a security problem by defect behind a handler like CRYPT() that may > encourage many programmers concerned about security to use it and > think they are safe when they are not. > > On Aug 1, 7:18 am, Bottiger <bottig...@gmail.com> wrote: > > > Yes the software is there, but the hardware is a completely different > > matter. > > > On Jul 31, 11:15 pm, Jonathan Lundell <jlund...@pobox.com> wrote: > > > > On Jul 31, 2009, at 11:11 PM, Bottiger wrote: > > > > > 2. Attackers will specifically target Web2Py's deterministic algorithm > > > > with a custom rainbow table. > > > > > This is a possibility, but it is not a big one. First of all, even > > > > with md5, generating tables is not something the average script kiddie > > > > can do. > > > > Google: rainbow table generator kit > > > >http://www.google.com/search?hl=en&safe=off&q=rainbow+table+generator... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
