Easy fix
MD5 pretty simple in PHP.
Hare gew, lut:
1) Take site offline
2) Select a cryptic shared secret (i.e. key) and put it somewhere in your software library, preferably not on a piece of code reachable directly from the interwebs.
3) write a quick procedure to run through the existing user/ password table, UPDATE the password field to be an MD5 hash of the already stored password
4) modify registration procedure to make an MD5 hash of the password using your shared secret and store it instead of the clear text password
5) modify login procedure to make an MD5 has of the entered password before checking the password stored in the DB.
6) Deploy new code
7) Bring site back up.
8) Make a few backups, then delete all the previous backups you have with unencrypted passwords
9) Sleep better.
Posted By: Steve in Holland on August 3rd 2010 at 14:03:33
Message Thread
- FAO conker... (General Chat) - Fierce Panda, Aug 3, 12:58:58
- I've got it too... (General Chat) - Jim Nasium, Aug 3, 13:10:17
- No one willing to help me then? I suppose I will have to stay here (n/m) (General Chat) - conker, Aug 3, 14:02:51
- I like it that he's in Liverpool and the Malaysia at the same time. (n/m) (General Chat) - APB, Aug 3, 13:26:18
- I've even had that on a text message. (n/m) (General Chat) - tudders, Aug 3, 13:24:48
- That's the baby (n/m) (General Chat) - Fierce Panda, Aug 3, 13:13:53
- this is becoming a joke (General Chat) - Charles21, Aug 3, 13:07:19
- Choose a secure password and don't use your hotmail details to sign into a website (General Chat) - Ben, Aug 3, 13:14:37
- Not mine. Er. I think. Pretty sure anyway. (n/m) (General Chat) - megson, Aug 3, 14:02:17
- You need to use hotmail for sites like facebook though (General Chat) - Charles21, Aug 3, 13:36:58
- I used Gmail for Facebook, not that I ever log into the crappy thing (n/m) (General Chat) - CB41, Aug 3, 13:42:21
- No you don't (General Chat) - BerlinCanary, Aug 3, 13:40:39
- ^^^ yes (General Chat) - Ralf Scrampton, Aug 3, 13:52:46
- Well it pays to have a very strong password for the password manager of course (General Chat) - BerlinCanary, Aug 3, 16:25:14
- why not use a very strong password when signing up elsewhere? (General Chat) - Ralf Scrampton, Aug 3, 16:42:30
- Well it pays to have a very strong password for the password manager of course (General Chat) - BerlinCanary, Aug 3, 16:25:14
- ^^^ yes (General Chat) - Ralf Scrampton, Aug 3, 13:52:46
- Fortunately you store encrypted passwords so that even you don't know what they are (General Chat) - BerlinCanary, Aug 3, 13:16:06
- Indeed. One-way hashed even - MD5 for example ? (n/m) (General Chat) - Steve in Holland, Aug 3, 13:32:43
- Well I probably should be but I'm not (General Chat) - Ben, Aug 3, 13:48:15
- Easy fix (General Chat) - Steve in Holland, Aug 3, 14:03:33
- I know how:-) (General Chat) - Ben, Aug 3, 14:26:41
- lol (n/m) (General Chat) - Steve in Holland, Aug 3, 14:43:15
- :) (n/m) (General Chat) - conker, Aug 3, 14:36:02
- I know how:-) (General Chat) - Ben, Aug 3, 14:26:41
- Easy fix (General Chat) - Steve in Holland, Aug 3, 14:03:33
- Dougie Houser (n/m) (General Chat) - pants, Aug 3, 13:47:39
- Howser (General Chat) - Steve in Holland, Aug 3, 14:04:07
- Well I probably should be but I'm not (General Chat) - Ben, Aug 3, 13:48:15
- i suspect Wrath is still steam-powered (General Chat) - Ralf Scrampton, Aug 3, 13:21:12
- Indeed. One-way hashed even - MD5 for example ? (n/m) (General Chat) - Steve in Holland, Aug 3, 13:32:43
- I don't use Hotmail but my son does and he was only on the computer yesterday... (General Chat) - Fierce Panda, Aug 3, 13:16:03
- 9 (n/m) (General Chat) - Jim Nasium, Aug 3, 13:15:47
- I ghet shit loads of those viagra and penis extension ones without knowing. (General Chat) - CB41, Aug 3, 13:09:10
- yes but these ones are directly from friends (General Chat) - Charles21, Aug 3, 13:13:41
- Yep, that's Hotmail for you - more holes than Gruyer (n/m) (General Chat) - CB41, Aug 3, 13:16:53
- More like ex-conquests offering some free help and advice (n/m) (General Chat) - Fierce Panda, Aug 3, 13:14:42
- "Bunny Ethel" sent one of them. (n/m) (General Chat) - CB41, Aug 3, 13:13:26
- Ethel Ponce. (n/m) (General Chat) - tudders, Aug 3, 13:23:16
- yes but these ones are directly from friends (General Chat) - Charles21, Aug 3, 13:13:41
- Choose a secure password and don't use your hotmail details to sign into a website (General Chat) - Ben, Aug 3, 13:14:37
- oh dear, that was a scam was it? (General Chat) - Brandonio, Aug 3, 13:05:21
- lol (n/m) (General Chat) - Steve in Holland, Aug 3, 13:08:23
- I didn't, I dunt know who he is. (n/m) (General Chat) - CB41, Aug 3, 13:07:38
- Yes indeed I've just had one as well from your gmail account (n/m) (General Chat) - meeky, Aug 3, 13:00:45
- Oh dear, sorry... (General Chat) - Fierce Panda, Aug 3, 13:02:27
- I've got it too... (General Chat) - Jim Nasium, Aug 3, 13:10:17
Reply to Message
In order to add a post to the WotB Message Board you must be a registered WotB user.
If you are not yet registered then please visit the registration page. You should ensure that their browser is setup to accept cookies.