Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - How Safe is Encryption?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

How Safe is Encryption?
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
davidshq View Drop Down
Senior Member
Senior Member


Joined: 29 July 2003
Location: United States
Status: Offline
Points: 299 		Post Options Post Options   Thanks (0) Thanks(0)   Quote davidshq Quote  Post ReplyReply Direct Link To This Post Topic: How Safe is Encryption?
    Posted: 09 October 2005 at 2:35pm
How safe is the Web Wiz Forum's encryption? If a hacker had the entire script and database at his disposal would he be able to hack it and how easily?
David.
- Dave Mackey - Virtual Home.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 10 October 2005 at 8:53am
The encryption for passwords is 160bit one way encrypted which means that the passwords can not be recovered so there is nothing in the software that a hacker can use to decrypt the password.

For extra security 'SALT' values are also used so that a hacker can not try and spot similarities in encoding to try a workout the passwords.

However, as the forums database carries other data that could be sensitive such as emails, usernames, etc. it is recommended that you place the database in a secure folder that isn't accessible through a web browser. The install instructions tell you how to do this.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
dfrancis View Drop Down
Senior Member
Senior Member


Joined: 16 March 2005
Location: United States
Status: Offline
Points: 442 		Post Options Post Options   Thanks (0) Thanks(0)   Quote dfrancis Quote  Post ReplyReply Direct Link To This Post Posted: 11 October 2005 at 6:28pm

MD5 Hashing Cracked, Now What?

Channel 9

With MD5 being cracked and compromised as a crypto method, what are new alternatives that are more stronger than that to use in encryption of passwords and others? i am trying to find a good hashing crypto that is strong and cant be cracked easily for the foreseeable future! thanks

Tuesday October 11, 2005 3:11PM PDT
Isn't this the method used?
Back to Top
michael View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 April 2002
Location: United States
Status: Offline
Points: 4670 		Post Options Post Options   Thanks (0) Thanks(0)   Quote michael Quote  Post ReplyReply Direct Link To This Post Posted: 11 October 2005 at 11:41pm
Even though MD5 has been cracked, I seriously doubt it can be done by anyone. I don't recall the details but IIRC a massive amount of computer power is needed to repeat this task, thus making it not feasible. In later versions of .net 2.0 I believe MS is switching to SHAx as the defualt encryption for it's authentication provider but not 100% about that.
Blog | MPG Tracker
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 12 October 2005 at 1:16pm
The one-way hash function in WWF provides substantial protection of the passwords.  Even if the encryption method were MD5, WWF v7.92 "salts" the hash to make the so-called MD5 crack more difficult.  In practical terms, it would probably be easier to guess your password or trick you into giving it away and much easier to compromise the Windows machine hosting your site than to defeat the encryption.
 
In theory, MD5 and SHA1 hashes suffer from a weakness known as "collisions", where two different strings of text result in the same hash.  That means that if your password was "abcd1234" the hash stored in the database might be the same as the hash for "wxyz7890", so an attacker doesn't have to try every possible combination of characters that a 128 bit (for MD5) or a 160 bit (as used by WWF) hash would imply.  I could be so easy that an semi-skilled script-kiddie with an average gaming PC could find a collision in a matter of hours.  However, the technique used to exploit the weakness requires the attacker to possess the password hash, which WWF does not provide.
 
If an attacker gains access to your database, he has access to the hash and the salt and, presumably, your source code.  With all that information, and assuming the one-way hash of WWF is equally vulnerable to collisions, the attacker doesn't have to find your password, he just has to find a set of characters that produces the same hash.  If the attacker does not have access to the database, then he has to try billions upon billions of possible passwords, and through the WWF web interface is laughably impractical even if the hash function suffers from collision weaknesses.
 
If the hash used in WWF were MD5, this might be a concern since tools are being developed to demonstrate the MD5 weakness and so punks don't have to understand encryption, just how to use the tool.  Maybe there are people out there who know of a flaw or weakness in the WWF one-way hash, but it seems unlikely given the depth of knowledge it implies.
 
In short, your passwords (and only your passwords) are very secure against being decrypted.  Everything else in the equation is so vulnerable that WWF passwords can safely be an after-thought.
 
 
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 14 October 2005 at 7:19am
The simplest solution if anyone is worried about the encrypted passwords being de-crypted is to make sure that a hacker doesn't get hold of your database in the first place.

If you are running the Access version Web Wiz Forums comes with installed instructions on how to secure your database from hackers by placing it in a folder that doesn't have HTTP access.

If you are running MS SQL Server, then your database should be pretty secure anyway and you don't need to do anything.

Probably the biggest weakness to a hacker is if you make your admin password easy to guess.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.