Small Problem with Web Site

Anything else. Come in, say hi!
  • Ads

Small Problem with Web Site

Postby Sc00bz » Fri Jul 16, 2010 6:40 am

On page http://www.cryptohaze.com/gpurainbowcracker.php your GPU performance table is mislabeled a nVidia 8800 GTX OC is faster than a nVidia GTX295 (single core).

Ohh yeah on page http://www.cryptohaze.com/passwordsecurity.php "Password Storage: You're doing it wrong if: .... You let users log in with plaintext passwords over unencrypted HTTP." Don't you do that? :D I know FRT and 3.14.by do the same thing and Hashkiller uses Simple Machines Forum which stores sha1(user + pw) in the database and during log in sends sha1(sha1(user + pw) + salt) on the first log in attempt but after that it sends plain text. Which I'd say is not secure either. Personally I'd use a self signed cert or Javascript RSA to send "md5(user + pw) xor salt," but godaddy does have cheap certs $25/yr.
Sc00bz
 
Posts: 93
Joined: Thu Jan 22, 2009 9:31 pm

Re: Small Problem with Web Site

Postby Bitweasil » Sat Jul 17, 2010 12:30 am

Thanks for the suggestions, I will fix those benchmark errors.

The old Cryptohaze login had some javascript mangling, and I *think* phpBB3 does as well, but I should probably check that. :)
Bitweasil
Site Admin
 
Posts: 912
Joined: Tue Jan 20, 2009 4:26 pm

Re: Small Problem with Web Site

Postby Sc00bz » Sat Jul 17, 2010 10:21 pm

POST /forum/ucp.php?mode=login HTTP/1.1
....
Content-Length: 86

username=sc00bz&password=password removed&login=Login&redirect=.%2Findex.php%3F


That is my real password too including the [ i] [ /i] ohh right [] would be %5B and %5D damn you got me it's not :)
Sc00bz
 
Posts: 93
Joined: Thu Jan 22, 2009 9:31 pm

Re: Small Problem with Web Site

Postby Bitweasil » Sun Jul 18, 2010 5:46 pm

Oh FFS. Yeah, looks like you're right. I'll see if I can find a patch to fix that...
Bitweasil
Site Admin
 
Posts: 912
Joined: Tue Jan 20, 2009 4:26 pm

Re: Small Problem with Web Site

Postby Sc00bz » Sun Jul 18, 2010 9:51 pm

Well besides a self signed cert which looks bad but is safe because it's a one time warning and the user will know when it changes and Javascript RSA which can be man in the middled without the user knowing. You can modify the hash function for phpBB so it does md5($user . $pw) before it does the normal phpBB. Only problem is that you will have to check with ajax first to see if the user has the newer hash then you can send md5($user . $pw) instead of just the paint text password.
Sc00bz
 
Posts: 93
Joined: Thu Jan 22, 2009 9:31 pm


Return to General Chatter

Who is online

Users browsing this forum: No registered users and 2 guests

cron