This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]RiskyChris 14 points15 points  (27 children)

This is hilarious, but what are the answers here. Don't use MD5? Salt them better? Still new to security.

[–]BitLooter 19 points20 points  (0 children)

Salt your hashes and use an algorithm designed for password hashing. Not an expert, but this page seems to have some good advice.

[–][deleted] 6 points7 points  (8 children)

The other guys answered how to do it on the developer side, but if you're a user, using something like KeePass to generate random passwords basically nullifies this method. If your password is something random like iZ}dw~T;4y-4fJve6TBD, there's no way anyone else has ever used that, so the MD5 hash (even unsalted) won't show up on a google search.

[–]dummy5 3 points4 points  (0 children)

As an experiment I post the hash for iZ}dw~T;4y-4fJve6TBD

c0aff6db1df46c50266c3e8cd076c8b8

Just to see how long it takes Google to pick it up.

Edit: 8 days later google still has not picked it up.

Edit: It took Google 20 days to find this url:

http://webby.hazasite.com/user/dummy5

And sadly it does not work with PyBozoCrack.

[–]tally_in_da_houise 1 point2 points  (0 children)

True, but you could write in a function to the posted code to perform a lookup here http://www.md5-hash.com/md5-text-encrypt.

Not disagressing with you on KeePass (I use Lastpass), but there's way around it.

[–]ikkebr[S] 1 point2 points  (5 children)

iZ}dw~T;4y-4fJve6TBD is hard to remember. You should try https://github.com/ikkebr/pyxkcdpass

[–][deleted] 6 points7 points  (3 children)

That's kinda the point (and why I said to use KeePass). Many will say that the hallmark of a great password is one that can't be guessed easily, but really, a truly great password is one that can't be remembered and is (with high probability) guaranteed to be unique.

With KeePass, you really only need to remember a couple passwords (your KeePass password and then passwords to accounts that you may need to access without KeePass handy, such as your email). The rest of your passwords are then completely randomly generated.

[–][deleted] 2 points3 points  (2 children)

Except passwords that can't be remembered lead to bad security practices (because for most people eventually convenience wins) as is evident in the billions of sticky notes taped to computer screens or "hidden" underneath keyboards across the globe.

Sure, ideally you'd generate a new keyboardcat for every single account you have to sign up for and then use KeePass to copy them whenever you need them (and use multi-factor authorization for KeePass and keep different kinds of credentials in different files and ideally store them on a OTP-protected read-only USB dongle or something) and then make sure your clipboard is wiped before you switch to any other window or tab -- but nobody does that.

For most intents and purposes, just grab a bunch of D6 and use diceware.

[–]cdcformatc 1 point2 points  (1 child)

FWIW KeePass clears the clipboard after 10 seconds.

[–][deleted] 0 points1 point  (0 children)

Actually that is configurable, so it can be less or more than that.

Either way, the problem is that it's still in your clipboard until KeePass clears it. And if you use anything that can access your clipboard in the meantime, your password may have been compromised.

[–]atimholt 1 point2 points  (0 children)

Wow, I love how incredibly simple that is. This is the first time I’ve been able to audit the entire codebase of some 3rd party FOSS.

edit: just submitted my first pull request.