Web Wiz Forums - How Safe is Encryption?

Print Page | Close Window

How Safe is Encryption?

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=16854
Printed Date: 16 April 2026 at 6:30am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: How Safe is Encryption?

Posted By: davidshq
Subject: How Safe is Encryption?
Date Posted: 09 October 2005 at 2:35pm

How safe is the Web Wiz Forum's encryption? If a hacker had the entire script and database at his disposal would he be able to hack it and how easily?
David.

-------------
- http://www.davemackey.net/" rel="nofollow - Dave Mackey - Virtual Home.

Replies:

Posted By: WebWiz-Bruce
Date Posted: 10 October 2005 at 8:53am

The encryption for passwords is 160bit one way encrypted which means that the passwords can not be recovered so there is nothing in the software that a hacker can use to decrypt the password.

For extra security 'SALT' values are also used so that a hacker can not try and spot similarities in encoding to try a workout the passwords.

However, as the forums database carries other data that could be sensitive such as emails, usernames, etc. it is recommended that you place the database in a secure folder that isn't accessible through a web browser. The install instructions tell you how to do this.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: dfrancis
Date Posted: 11 October 2005 at 6:28pm

MD5 Hashing Cracked, Now What?

Channel 9

With MD5 being cracked and compromised as a crypto method, what are new alternatives that are more stronger than that to use in encryption of passwords and others? i am trying to find a good hashing crypto that is strong and cant be cracked easily for the foreseeable future! thanks

Tuesday October 11, 2005 3:11PM PDT

Isn't this the method used?

Posted By: michael
Date Posted: 11 October 2005 at 11:41pm

Even though MD5 has been cracked, I seriously doubt it can be done by anyone. I don't recall the details but IIRC a massive amount of computer power is needed to repeat this task, thus making it not feasible. In later versions of .net 2.0 I believe MS is switching to SHAx as the defualt encryption for it's authentication provider but not 100% about that.

-------------
http://baumannphoto.com" rel="nofollow - Blog | http://mpgtracker.com" rel="nofollow - MPG Tracker

Posted By: JJLatWebWiz
Date Posted: 12 October 2005 at 1:16pm

The one-way hash function in WWF provides substantial protection of the passwords. Even if the encryption method were MD5, WWF v7.92 "salts" the hash to make the so-called MD5 crack more difficult. In practical terms, it would probably be easier to guess your password or trick you into giving it away and much easier to compromise the Windows machine hosting your site than to defeat the encryption.

In theory, MD5 and SHA1 hashes suffer from a weakness known as "collisions", where two different strings of text result in the same hash. That means that if your password was "abcd1234" the hash stored in the database might be the same as the hash for "wxyz7890", so an attacker doesn't have to try every possible combination of characters that a 128 bit (for MD5) or a 160 bit (as used by WWF) hash would imply. I could be so easy that an semi-skilled script-kiddie with an average gaming PC could find a collision in a matter of hours. However, the technique used to exploit the weakness requires the attacker to possess the password hash, which WWF does not provide.

If an attacker gains access to your database, he has access to the hash and the salt and, presumably, your source code. With all that information, and assuming the one-way hash of WWF is equally vulnerable to collisions, the attacker doesn't have to find your password, he just has to find a set of characters that produces the same hash. If the attacker does not have access to the database, then he has to try billions upon billions of possible passwords, and through the WWF web interface is laughably impractical even if the hash function suffers from collision weaknesses.

If the hash used in WWF were MD5, this might be a concern since tools are being developed to demonstrate the MD5 weakness and so punks don't have to understand encryption, just how to use the tool. Maybe there are people out there who know of a flaw or weakness in the WWF one-way hash, but it seems unlikely given the depth of knowledge it implies.

In short, your passwords (and only your passwords) are very secure against being decrypted. Everything else in the equation is so vulnerable that WWF passwords can safely be an after-thought.

-------------
p.s. I'm not affiliated with Web Wiz Guide in any way. I'm just an average Web Wiz user repaying my debt for the use of their fine forum by trying to help other Web Wiz Guide users.

Posted By: WebWiz-Bruce
Date Posted: 14 October 2005 at 7:19am

The simplest solution if anyone is worried about the encrypted passwords being de-crypted is to make sure that a hacker doesn't get hold of your database in the first place.

If you are running the Access version Web Wiz Forums comes with installed instructions on how to secure your database from hackers by placing it in a folder that doesn't have HTTP access.

If you are running MS SQL Server, then your database should be pretty secure anyway and you don't need to do anything.

Probably the biggest weakness to a hacker is if you make your admin password easy to guess.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting