Web Wiz Support and Community Forums : How Safe is Encryption?

Web Wiz Support and Community Forums : How Safe is Encryption? https://forums.webwiz.net/ Copyright (c) 2006-2013 Web Wiz Forums - All Rights Reserved. Sat, 18 Apr 2026 12:33:31 +0000 Fri, 14 Oct 2005 07:19:47 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 12.08 360 https://forums.webwiz.net/RSS_post_feed.asp?TID=16854 <![CDATA[Web Wiz Support and Community Forums]]> https://forums.webwiz.net/forum_images/web_wiz_forums.png https://forums.webwiz.net/ <![CDATA[How Safe is Encryption? : The simplest solution if anyone...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92174.html#92174 Author: WebWiz-Bruce
Subject: 16854
Posted: 14 October 2005 at 7:19am

The simplest solution if anyone is worried about the encryptedpasswords being de-crypted is to make sure that a hacker doesn't gethold of your database in the first place.

If you are running the Access version Web Wiz Forums comes withinstalled instructions on how to secure your database from hackers byplacing it in a folder that doesn't have HTTP access.

If you are running MS SQL Server, then your database should be pretty secure anyway and you don't need to do anything.

Probably the biggest weakness to a hacker is if you make your admin password easy to guess.
]]> Fri, 14 Oct 2005 07:19:47 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92174.html#92174 <![CDATA[How Safe is Encryption? : The one-way hash function in WWF...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92088.html#92088 Author: JJLatWebWiz
Subject: 16854
Posted: 12 October 2005 at 1:16pm

The one-way hash function in WWF provides substantial protection of the passwords. Even if the encryption method were MD5, WWF v7.92 "salts" the hash to make the so-called MD5 crack more difficult. In practical terms, it would probably be easier to guess your password or trick you into giving it away and much easier to compromise the Windows machine hosting your site than to defeat the encryption.

In theory, MD5 and SHA1 hashes suffer from a weakness known as "collisions", where two different strings of text result in the same hash. That means that if your password was "abcd1234" the hash stored in the database might be the same as the hash for "wxyz7890", so an attacker doesn't have to try every possible combination of characters that a 128 bit (for MD5) or a 160 bit (as used by WWF) hash would imply. I could be so easy that an semi-skilled script-kiddie with an average gaming PC could find a collision in a matter of hours. However, the technique used to exploit the weakness requires the attacker to possess the password hash, which WWF does not provide.

If an attacker gains access to your database, he has access to the hash and the salt and, presumably, your source code. With all that information, and assuming the one-way hash of WWF is equally vulnerable to collisions, the attacker doesn't have to find your password, he just has to find a set of characters that produces the same hash. If the attacker does not have access to the database, then he has to try billions upon billions of possible passwords, and through the WWF web interface is laughably impractical even if the hash function suffers from collision weaknesses.

If the hash used in WWF were MD5, this might be a concern since tools are being developed to demonstrate the MD5 weakness and so punks don't have to understand encryption, just how to use the tool. Maybe there are people out there who know of a flaw or weakness in the WWF one-way hash, but it seems unlikely given the depth of knowledge it implies.

In short, your passwords (and only your passwords) are very secure against being decrypted. Everything else in the equation is so vulnerable that WWF passwords can safely be an after-thought.

]]> Wed, 12 Oct 2005 13:16:28 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92088.html#92088 <![CDATA[How Safe is Encryption? : Even though MD5 has been cracked,...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92053.html#92053 Author: michael
Subject: 16854
Posted: 11 October 2005 at 11:41pm

Even though MD5 has been cracked, I seriously doubt it can be done byanyone. I don't recall the details but IIRC a massive amount ofcomputer power is needed to repeat this task, thus making it notfeasible. In later versions of .net 2.0 I believe MS is switching toSHAx as the defualt encryption for it's authentication provider but not100% about that.]]> Tue, 11 Oct 2005 23:41:19 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92053.html#92053 <![CDATA[How Safe is Encryption? : MD5 Hashing Cracked, Now What?...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92047.html#92047 Author: dfrancis
Subject: 16854
Posted: 11 October 2005 at 6:28pm

MD5 Hashing Cracked, Now What?

Channel 9

With MD5 being cracked and compromised as a crypto method, what are new alternatives that are more stronger than that to use in encryption of passwords and others? i am trying to find a good hashing crypto that is strong and cant be cracked easily for the foreseeable future! thanks

Tuesday October 11, 2005 3:11PM PDT

Isn't this the method used?

]]> Tue, 11 Oct 2005 18:28:16 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post92047.html#92047 <![CDATA[How Safe is Encryption? : The encryption for passwords is...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post91959.html#91959 Author: WebWiz-Bruce
Subject: 16854
Posted: 10 October 2005 at 8:53am

The encryption for passwords is 160bit one way encrypted which meansthat the passwords can not be recovered so there is nothing in thesoftware that a hacker can use to decrypt the password.

For extra security 'SALT' values are also used so that a hacker can nottry and spot similarities in encoding to try a workout the passwords.

However, as the forums database carries other data that could besensitive such as emails, usernames, etc. it is recommended that youplace the database in a secure folder that isn't accessible through aweb browser. The install instructions tell you how to do this.
]]> Mon, 10 Oct 2005 08:53:43 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post91959.html#91959 <![CDATA[How Safe is Encryption? : How safe is the Web Wiz Forum's...]]> https://forums.webwiz.net/how-safe-is-encryption_topic16854_post91932.html#91932 Author: davidshq
Subject: 16854
Posted: 09 October 2005 at 2:35pm

How safe is the Web Wiz Forum's encryption? If a hacker had the entirescript and database at his disposal would he be able to hack it and howeasily?
David.
]]> Sun, 09 Oct 2005 14:35:36 +0000 https://forums.webwiz.net/how-safe-is-encryption_topic16854_post91932.html#91932