question about md5, rainbow tables, salting, etc.

Started by Darren Dirt, October 16, 2015, 08:48:17 AM

Previous topic - Next topic

Darren Dirt

Quote from: Thorin on October 19, 2015, 11:53:31 AM
As far as I know most developers still store the salt and hash in separate columns, but some have decided to store them together in one field.  The one thing I don't like about joining it all together is that future developers have to figure out just how to separate the three fields from the single string.  It's more straightforward if the three fields are separated in the databases.

Or not "figure out" something since that final link I shared = a "standard" that came from the *nix world and is now populating into various APIs as a standard (e.g. the PHP world). Using "$" as a delimiter seems a decent enough standard since it's human readable if necessary, and allows for "optional" elements to be included as long as the first and last element are consistent and expected (e.g. could use AR=STRING.split() and then use AR[0] for the first and AR[AR.length-1] for the last, not too complex just an extra step, actually really just a "different" step compared to having different fields for each element.)


Good talk, guys. I feel appropriately humbled, and the related of my brain has shut up finally. ;)
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

The thing is security is hard and the more complexity usually means more attack surfaces

You also have to think laterally, like the weakest link in a lot of systems are the users, what if a user exposes their password what are the repercussions?

I highly recommend reading up on Threat Risk Modelling:
https://www.owasp.org/index.php/Threat_Risk_Modeling

Another thing that can help is doing a cross-team penetration test (red vs blue), force people to put on black hats and try to think like an attacker (especially with "privileged" information)

Attack vectors can come from former employees (hell, current employees) with access to information, including implementation.

I love doing security work because it makes me think of the app and company practices from a very different point of view (admin user passwords, maybe really safe, but if I was looking for an "in" would I attack the thickest part of the wall?)
By Grabthar's Hammer

Darren Dirt

Good share, that website is all about web app security.

And this sums up some common practices re. using and storing of the hash and salt etc.
https://www.owasp.org/index.php/Guide_to_Authorization
_____________________

Strive for progress. Not perfection.
_____________________

Mr. Analog

Quote from: Darren Dirt on October 19, 2015, 03:21:52 PM
Good share, that website is all about web app security.

Many of the principles for identifying threats are applicable to any piece of software

Web dev is one of the most troubling from a security point of view because virtually everything in the chain between client and server has to be treated as untrusted...
By Grabthar's Hammer

Thorin

The thing about doing security right is you have to assume that everything you do will fail.  So the question is, can you make it take long enough to fail so you have time to handle the situation?
Prayin' for a 20!

gcc thorin.c -pedantic -o Thorin
compile successful