On Wed, 2012-01-04 at 21:06 -0500, Patrick Domack wrote:
Quoting Noel Butler noel.butler@ausics.net:
On Tue, 2012-01-03 at 20:58 -0500, Michael Orlitzky wrote:
To prevent rainbow table attacks, salt your passwords. You can make them a little bit more difficult in plenty of ways, but salt is the /solution/.
Agreed... We use Crypt::PasswdMD5 - unix_md5_crypt() for all general password storage including mail/ftp etc, except for web, where we need to use apache_md5_crypt().
But still, the results are all the same, if they get the hash, it can
be broken, given time. Using more cpu expensive methods make it take
longer (like adding salt, more complex hash). But the end result is
they will have it if they want it.The only solution is to use two factor authenication, or rotate your
passwords quicker than they can get broken.
Yup, anything can be broken, given time and resources, no mater what, but using crypted MD5 is better than using normal md5 (like sadly way too many use) and having easy rainbow attacks succeed in mere seconds.
No mater how good your database security is, always assume the worse, too many think that a DB compromise just can't happen to them, and as murphy's law shows, their usually the ones it does happen to.