Quote:
Originally Posted by redambergreen
I've had a look into this and while it's not as bad as it first seems, it's still pretty bad.
The passwords are being hashed locally using MD5 (unsalted)
|
This is real bad if the servers ever get "hacked".. hmm
also: "salting" MD5 is still not secure. MD5 is obsolete since.. when was the youngest member of this site born?
I am no coder, so I have no idea what it would need to rework the password-scheme.
But if it were to be reeimplemented, I'd suggest to never roll your own "encryption/hash-function". Use what is established and gets updated.
PHP Code:
password_hash();
----------------------------------
Quote:
Originally Posted by redambergreen
This is very easily attacked by capturing the packet (as I just did), and using something like Fiddler to manipulate the POST payload upon logon with the username and hash of someone else on your local network.
|
Despite the way passwords are stored on the server. This is exactly my point!
Room-mates could be neferious enough. The hole college student apartment uses the same network?.. yeah, nobody is studying IT there and wants to test what they have learned.
Or people like me.. on a public WiFi..
-- if there is one, there are many who do this
My offer about helping to implement SSL/TLS free of charge still stands!
My sites get an A+ rating on
https://www.ssllabs.com/ssltest/ using a cost free certificate that automatically renews itself →
https://letsencrypt.org/
Encrypt all the things!!
==============
Quote:
Originally Posted by Zoeys fun time
Well in my opinion *Insert smart sounding techno Babble here*
Love,
Zoey
|
That should do it!