Programming Forums - View Single Post

Sane · Nov 12th, 2006, 12:33 PM

They probably did a library lookup on your password's Md5 hash. There are millions of stored hashes out there for library lookups. Your password was probably a known hash.

I'd suggest adding "salt" to your password before making it an Md5 hash. I'm not sure if you know how that works, so I'll explain anyways. There's a certain arbitrary string (EG "a5k50") that only your server knows. Every time someone enters a password, that arbitrary string is added to the beginning and end (or however you like) of the string, before it is encrypted in Md5. This is done every time someone sends your server a password, so it's just as if people are entering a more complicated password than normal. These salted passwords will not be in an Md5 hash lookup library, unless you're extremely unlucky.

Nov 12th, 2006, 12:33 PM	#5
Sane Banned Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 2,101 Rep Power: 6	They probably did a library lookup on your password's Md5 hash. There are millions of stored hashes out there for library lookups. Your password was probably a known hash. I'd suggest adding "salt" to your password before making it an Md5 hash. I'm not sure if you know how that works, so I'll explain anyways. There's a certain arbitrary string (EG "a5k50") that only your server knows. Every time someone enters a password, that arbitrary string is added to the beginning and end (or however you like) of the string, before it is encrypted in Md5. This is done every time someone sends your server a password, so it's just as if people are entering a more complicated password than normal. These salted passwords will not be in an Md5 hash lookup library, unless you're extremely unlucky.