Jump to content

perfectfire

Members
  • Content Count

    2
  • Joined

  • Last visited

Community Reputation

0 Neutral

About perfectfire

  • Rank
    Newbie
  1. perfectfire

    MoDaCo data breach: Full statement

    Like @Kushan said CRYPT_BLOWFISH is a legit password hashing function. Just be sure to set the cost parameter correctly. You don't want it to be too fast and you'll need to update the cost parameter over time as computers become more powerful.
  2. perfectfire

    MoDaCo data breach: Full statement

    I'm also waiting on details. MD5 is bad. I just got into competitive password cracking and my crappy old rig and video card can crank out 1.3 billion MD5 hash values per second. Salted MD5 means they have to try to crack each hash value individually (if the salt is large enough) which helps, but not much for such a fast hash function. I hope Invision means "A hash function based on blowfish encryption" and not literally blowfish: the symmetric key block-cipher. Because anybody that gains access to your password database has a pretty good chance of getting the encryption key too at which point all of our passwords are now easily converted to plaintext in seconds. That also means that anybody using this software has access to all of their users' passwords because they have the key. That is not how you store login information. You salt the plaintext and use a cryptographically strong one-way hash function purpose-designed for password hashing to be slow to compute, that takes a significant amount of RAM, etc.
×

Important Information

By using this site, you agree to our Terms of Use.