« Firefox Adsense WordPress PluginHackers Declare Total War against Scientology »
Web Applications like phpBB, WordPress, almost all online apps with authorization capability store user passwords by creating an encrypted hash of your password. The hash is unique to the password so hashing the password in the future will result in the same hash every time.
Usernames and Hashes
So if your password is google and your username is rocks, your app will store you as [user:md5 hash of google] When you enter your username and password to login later, the app compares the md5 hash of your submitted password to the stored hash.
rocks=c822c1b63853ed273b89687ac505f9fa
Cracking Hashes
A hash is encrypted, meaning you can’t reverse-engineer it to find the plain-text. So to crack a hash you have to create a hash for each guess until the hashes match, which tells you the plain-text of the encrypted password.
Rainbow Tables
To speed up this process programmers have created pre-generated tables containing trillions of [plaintext=hash]. So you can quickly search a table for the encrypted hash, and if it finds a match it tells you the decrypted plaintext string.
Test Your Password
I’ve put up a new tool to check the strength of your password hash, which you can use to see if one of your md5 or sha1 password hashes have already been cracked (meaning they are in the rainbow table), so you can be proactive in your security posture.
If you have a user account on forum software like phpBB, or really any web application that stores hashes in a database of some kind, you should find your hash and test it. If it is cracked then you should change your password to include both numbers, symbols, and letters at least 8 characters long.
You can also enter in a plaintxt password and the tool will compute the md5 and sha1 hashes of that password and test those. Your plaintext password is never directly sent to a server, but the md5 and sha1 hashes are.
« Firefox Adsense WordPress Plugin
Hackers Declare Total War against Scientology »
My Picks
- Mod_Rewrite Tips and Tricks
- Crazy Advanced Mod_Rewrite
- THE Ultimate Htaccess
- THE Mod_Rewrite Cheatsheet
- Elite Log Viewing
- DNS: Round Robin Speed
- Fsockopen: Nuts
- Rsync and SSH
Support Freedom or Die
Newest Posts
The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt
htaccess Guide
- htaccess tricks for Webmasters
- HTTP Header control with htaccess
- PHP on Apache tips and tricks
- SEO Redirects without mod_rewrite
- mod_rewrite examples, tips, and tricks
- HTTP Caching and Site Speedups
- Authentication on Apache
- htaccess Security Tricks and Tips
- SSL tips and examples
- Variable Fun (mod_env) Section
- .htaccess Security with MOD_SECURITY
- SetEnvIf and SetEnvIfNoCase Examples
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
James ~
Similar Reads
- Top 5 Vulnerability Port Scanners
- Advanced WordPress wp-config.php Tweaks
- Pen-testing Security Tools
- AskApache Password Protection, For WordPress
- Log all .htaccess/.htpasswd logins
- COMPUTER SECURITY TOOLBOX
- Debug apache log files from php
- Security with Apache htaccess Tutorial
- Login to Google AdSense using PHP
- Control htaccess Basic Authentication with PHP and mod_rewrite
- Fetch Feed Subscribers from Google Reader with CURL
- Auto-Login to Google Analytics to impress Clients
- Apache HTTPD Google CSE
- htaccess HTTPS / SSL Tips, Tricks, and Hacks
- Apache Authentication in htaccess
Tags: Apache, askapache, authorization, Google, Login, password, PHP, phpBB, post, ram, Security, server, SPEED, Username, WordPress,
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. NCSA HTTPd.
UNIX ® is a registered Trademark of The Open Group.
POSIX ® is a registered Trademark of The IEEE.
[...] A random and long key gives you better encryption, and exponentially increasing that is using a random and long salt for the encryption. Encryptions with known salts are incredibly easy to decrypt compared to encryptions with secure salts, because the salt + key individually need to be guessed in order to find a matching hash, vs. just the key if the salt is known. See: Locating weak passwords. [...]