12-15-2011, 07:06 PM
|
|
|
Confirmed User
Industry Role:
Join Date: Nov 2005
Posts: 1,045
|
Quote:
If you are using an old fashioned .htpasswd file that's only encrypted with the most common method, that's an algorithm called DES which is next to worthless. If those DES encrypted passwords are based on English words, which they normally are if you let your users choose their own passwords, a cracker can decrypt many of those passwords within seconds. You'll want to secure your passwords better than that.
First, how to know if this is a problem for you: 1) If you let users choose their own passwords you have a problem. 2) If your database or password file has the passwords in it in clear text you have a problem. 3) If each line of your password file has the user name, a colon, then 13 characters you have a problem. 4) If any of 1-3 applies to you and you run PHP scripts, you probably have a bigger problem.
PHP scripts make the problem worse because most of them, including most of the most popular ones, include a security hole that will let the attacker download your password list or database. So especially if you use PHP you'll want to be sure your password list is not easily cracked.
DES encryption, used in most .htpasswd files, is no longer effective. I've run a cracker program against some customers' password lists and indeed I was able to crack many passwords in seconds. Part of the reason it's so weak is that it only uses the first 8 characters of the password. With user chosen passwords the first 8 characters are often found in a crackers dictionary because they choose passwords based on English words.
|
You can read more at https://www.bettercgi.com/strongbox/passgen/ and when you are done reading have your friend get Strongbox. It will be the best $159.00 he will ever spend.
__________________
Email: fenris_wolf3000 (a t ) yah00 . c 0 m 
|
|
|