Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Vanilla with a pinch of salt...

WallPhoneWallPhone
edited May 2006 in Vanilla 1.0 Help
Just curious if there was a reason why I don't see any salting of the password hash in Vanilla. MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be.

Comments

  • Options
    MarkMark Vanilla Staff
    edited April 2006
    It wasn't important. Version 1 is finished. That was an important goal.

    Plus, to change the way passwords are handled would be a huge pain in the ass for people upgrading to the new version with existing forums.

    Regardless, what Vanilla has is industry standard and completely acceptable.
  • Options
    BergamotBergamot
    "MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be." There is a collision algorithm, but it's not necessarily fast or easy.
  • Options
    WallPhoneWallPhone
    edited April 2006
    I was referring to the lookup databases that are popping up (and seem to drop as soon as they get wise to the exponential nature of the problem) http://www.google.com/search?q=md5+reverse+lookup Aye--didin't think of the hurdles to upgrade an existing community...
  • Options
    MarkMark Vanilla Staff
    Also, even if someone managed to get at your cookies, the passwords (md5'd or not) aren't in there. The only way they can get at your password is to (a) query the database directly - which implies that they've already gotten past your db security, or (b) monitor network traffic on your server - which implies that they've already gotten past your server security. If either of those things happened, you've got bigger problems than md5 passwords.
  • Options
    KrakKrak New
    I hear about this from time to time. I think people are really just being over paranoid.
  • Options
    BergamotBergamot
    If you ever access the site over an unencrypted wifi connection, or one that has been cracked, an observer could conceivably grab the md5 hash from the HTTP header, find a collision, and log in with that. In the end though, all he'd get would be your password to a forum he probably doesn't visit anyway.
  • Options
    ToivoToivo New
    edited May 2006
    gosh. people use *the same* password for different sites ...
  • Options
    gigingergiginger New
    Is this another bug?

    This thread was at the top but the post before this one says 1 day ago. I should've screenshotted. Sorry.
  • Options
    drooziedroozie
    It might be because the post before yours, giginger, (Toivo) has been edited?
  • Options
    MinisweeperMinisweeper New
    I think it's the whisper bug mark was talking about isnt it?
This discussion has been closed.