Коментарі для запису: Faulty using of MD5 in web applications http://websecurity.com.ua/4459/ Sat, 18 Apr 2026 15:10:58 +0000 http://wordpress.org/?v=MustLive Edition від: MustLive http://websecurity.com.ua/4459/#comment-332027 Wed, 18 Aug 2010 18:07:38 +0000 http://websecurity.com.ua/4459/#comment-332027 I've added to the article the information about testing of different hash-functions (which I've conducted with using of service rehash.dustinfineout.com). I’ve added to the article the information about testing of different hash-functions (which I’ve conducted with using of service rehash.dustinfineout.com).

]]> від: MustLive http://websecurity.com.ua/4459/#comment-331882 Sun, 15 Aug 2010 12:28:05 +0000 http://websecurity.com.ua/4459/#comment-331882 <strong>Shawn</strong> You concluded very exactly - using of "abbreviated" MD5 is insecure. In my artcile I told not about that it completely insecure, but that depending on some parameters it can be - such as length of used md5-string. In the article I wrote about of using md5 for generating strings (random strings) for security purposes. And as I showed in my examples, small length of md5-string is very insecure, but I stated that using of large length of md5-string (from 7 till 32 chars) can give enough reliability (but not less then 7 chars). Here are some examples of using md5-strings with sufficient length for security purposes. From WP 2.0.3 (in 2006) there are anti-CSRF tokens in WP and md5 is using for making random strings for tokens. The 10 chars md5-string is using, so it gives 16^10 = 1099511627776 of possible combinations (so it's reliable enough). In Drupal (as I checked in 6.x versions) the full length of md5 (32 chars) is using for anti-CSRF tokens, which gives 16^32 of possible combinations (so it's indeed reliable). So developers need to draw attention on md5 or other hash functions which they are using for security purposes and use them wisely. Shawn

You concluded very exactly - using of “abbreviated” MD5 is insecure. In my artcile I told not about that it completely insecure, but that depending on some parameters it can be - such as length of used md5-string.

In the article I wrote about of using md5 for generating strings (random strings) for security purposes. And as I showed in my examples, small length of md5-string is very insecure, but I stated that using of large length of md5-string (from 7 till 32 chars) can give enough reliability (but not less then 7 chars).

Here are some examples of using md5-strings with sufficient length for security purposes. From WP 2.0.3 (in 2006) there are anti-CSRF tokens in WP and md5 is using for making random strings for tokens. The 10 chars md5-string is using, so it gives 16^10 = 1099511627776 of possible combinations (so it’s reliable enough). In Drupal (as I checked in 6.x versions) the full length of md5 (32 chars) is using for anti-CSRF tokens, which gives 16^32 of possible combinations (so it’s indeed reliable). So developers need to draw attention on md5 or other hash functions which they are using for security purposes and use them wisely.

]]> від: Shawn http://websecurity.com.ua/4459/#comment-331833 Sun, 15 Aug 2010 05:35:24 +0000 http://websecurity.com.ua/4459/#comment-331833 I think you're spot on in this. The use of an **abbreviated** MD5 as a keystone to any form of secure data is laughably insecure, and web developers should take not that the level of protection gained by this method is abysmally small, within the realm of "security by weak obscurity." I think you’re spot on in this. The use of an **abbreviated** MD5 as a keystone to any form of secure data is laughably insecure, and web developers should take not that the level of protection gained by this method is abysmally small, within the realm of “security by weak obscurity.”

]]>