Blog Documentation Book a Demo
Vanilla open source was terminated 1 January 2025 by Higher Logic. See this announcement for more information.

Vanilla with a pinch of salt...

WallPhoneWallPhone
edited May 2006 in Vanilla 1.0 Help
Just curious if there was a reason why I don't see any salting of the password hash in Vanilla. MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be.

Comments

  • MarkMark Vanilla Staff
    edited April 2006
    It wasn't important. Version 1 is finished. That was an important goal.

    Plus, to change the way passwords are handled would be a huge pain in the ass for people upgrading to the new version with existing forums.

    Regardless, what Vanilla has is industry standard and completely acceptable.
  • BergamotBergamot
    "MD5 has been around long enough that if you know the MD5 value, you have a good chance of looking up what the password may be." There is a collision algorithm, but it's not necessarily fast or easy.
  • WallPhoneWallPhone
    edited April 2006
    I was referring to the lookup databases that are popping up (and seem to drop as soon as they get wise to the exponential nature of the problem) http://www.google.com/search?q=md5+reverse+lookup Aye--didin't think of the hurdles to upgrade an existing community...
  • MarkMark Vanilla Staff
    Also, even if someone managed to get at your cookies, the passwords (md5'd or not) aren't in there. The only way they can get at your password is to (a) query the database directly - which implies that they've already gotten past your db security, or (b) monitor network traffic on your server - which implies that they've already gotten past your server security. If either of those things happened, you've got bigger problems than md5 passwords.
  • KrakKrak New
    I hear about this from time to time. I think people are really just being over paranoid.
  • BergamotBergamot
    If you ever access the site over an unencrypted wifi connection, or one that has been cracked, an observer could conceivably grab the md5 hash from the HTTP header, find a collision, and log in with that. In the end though, all he'd get would be your password to a forum he probably doesn't visit anyway.
  • ToivoToivo New
    edited May 2006
    gosh. people use *the same* password for different sites ...
  • gigingergiginger New
    Is this another bug?

    This thread was at the top but the post before this one says 1 day ago. I should've screenshotted. Sorry.
  • drooziedroozie
    It might be because the post before yours, giginger, (Toivo) has been edited?
  • MinisweeperMinisweeper New
    I think it's the whisper bug mark was talking about isnt it?
This discussion has been closed.