Passwords are pure MD5-Hashes?!

[stm999999999]

Ha. Wait.

We can't update the MD5 hashes, because we don't know the passwords of the users.

This is easy - Use a rainbow table!

[williamts99]

Ha. Wait.

We can't update the MD5 hashes, because we don't know the passwords of the users.

This is easy - Use a rainbow table!

Sadly that would take care of almost everyone's password. I agree that it should of course be salted. Though the best thing is for people to use unique passwords for each and every site. I happen to use http://passwordmaker.sourceforge.net/ so that no two passwords are ever the same. If your site gets hacked and exposes unsalted hashes of the users which then can easily found with rainbow tables, very bad for the users. The best idea is to salt the already calculated hash into the new saltedhash. The downside is having to always hash twice

For example my password = password and username = username

Existing hash is for "password"

Code: Select all

5f4dcc3b5aa765d61d8327deb882cf99

Then you use the following to generate the new hash

Code: Select all

5f4dcc3b5aa765d61d8327deb882cf99username

Results in this new hash to be used

Code: Select all

6af64e847a8654895b0136437e100bbc

This would render rainbow tables useless while having backwards compatibility and could use the username, sitename, or a custom salt. All without knowing the users current password.

Unfortunately for people that use the same passwords for all of their accounts it doesn't protect against 'honey pot' sites that are set up to store the passwords in plain text and then they use those to try and access your other accounts on other sites.

As far as moving away from md5, I can't see any reason to do so. I believe the chances of a collision is too slim for this implementation.