Monthly Archives: June 2012

MD5 Insecurity

Leave a reply

The following post is about security, I am in no way a security expert, far from it, but this is basic basic stuff. OK hands up, who can tell me what this is? 

5f4dcc3b5aa765d61d8327deb882cf99

The average person may say a code of some sort? A slightly more techie person may say its an encrypted word? A even more techie person may even be able to identify it as an MD5 hash? And someone with moderate technical experience would be able to identify it as the MD5 hash of the string “password”. And that people is the issue, if you can easily identify the single string you could easily hack a lot of web sites.

A lot of websites require a login of some sort. You know the drill you’ve done it a thousand times, register for this site with an username/email and password. Some sites may go as far as imposing some password complexity rules, but a lot don’t, and you probably end up using the same password for every site you register for. This is an accident waiting to happen. Why? Well because when you register for a site you expect the developers of the system to be competent people who know what they are doing with your sensitive information. Let me tell you now they don’t, and it is beginning to scare me more and more.

Any developer should know at least one thing about security, don’t store the passwords in plain text. Simple answer encrypt them? Find a one-way hashing algorithm (such as MD5) and store them encrypted. That way if anyone got hold of the database then they wouldn’t know what your password is. But increasingly this is wrong, OK I’ve encrypted them using MD5, but as I’ve shown from the example above anyone who is stupid enough to use the password of “password” I know what it is, it may as well have been stored as plain text, and this unfortunately is true of every single word in the dictionary, and also unfortunately true of just about every random string of letters and numbers up to a reasonable length.

So at the very least if you are encrypting passwords add some salt to the beginning, end or both. Salt changes your 8 character password into 32 character+ passwords and makes recognising the password “password” much more difficult. That any developer friends is the very least you should be doing, add salt to your passwords please please please. But in reality you shouldn’t be using MD5 anymore, its insecure, and SHA-1 isn’t much better either but at least its a step up. My recommendation would be to set the minimum bar at salted SHA-1 encrypted passwords.

The reason for this is that I am getting more and more amazed at how many registration systems don’t do this. I’ve come across many a home grown system that just MD5′s the password, and even some fairly big systems, Drupal 6 being one of them!!!

And this is the problem, all it takes is a site of sufficient size getting hacked (like linkedin for example) who only use plain old MD5 and your password can be determined. Same password for most sites = trouble. And this is probably the case. Your password may only be as secure as the weakest password on the site, which is a scary thought these days.

Techno-baby!

Leave a reply

Over the past year or so my Apple product ownership has gone from zero -> four (well maybe 6/7 if you count peripherals). Is this because I am now a Fanboi and will join the queuing masses in the coming months when the iPhone 5 is announced and camp out for days to be the first, yes the first to own it for a nano second. The short answer is no, I’m still not a massive fan in fact when I spent £1500+ on my first Apple product I felt dirty inside and the yorkshireman in me died a bit more. Don’t get me wrong the products are all good, a nice quality, but are still overpriced for what they are. I could have bought 3 decent laptops over the next 5 years for the price of the Macbook Pro. I bought these devices because as a developer it opened up more doors for me.

So around Christmas time when I was trying to desperately come up with a good gift for my wife I turned to Apple once again and bought an iPad. The device doesn’t fit my needs personally, if I’m surfing the net then I want to do it on a fully functioning laptop. If I’m casually surfing, my phone suffices. For my wife however it did fit the need, I wanted a replacement to my wife’s ageing netbook and the iPad fit the bill.

I also had a sneaking suspicion that my one year old Adam would take to it as well. What I didn’t realise was how much and how easily he would take to it. Bear in mind that we are talking about a baby who cannot yet talk and has the attention span of a fly. He was instantly hooked, and in some ways obsessed with the device. It could keep him amused for minutes (a big thing for him)! He instantly got the interaction and was happily switching between apps and making noises, and turning the screen to flip it to the right side. Amazing really for someone so young.

Fast forward 6 months and whilst he still can’t talk (he’s getting there) his level of understanding of what the iPad plays is astounding. We downloaded apps that make animal noises as he likes animals and the education that the iPad has given him is brilliant. As the following video shows, he can identify animals I wouldn’t have believed possible for a 21 month year old. And he definitely hasn’t memorised the locations, they change between portrait/landscape modes, and there are multiple pages. He literally knows what an Elephant is, looks like and sounds like. The video doesn’t show it be he equally can point out flamingos, camels and crocodiles, not your average farm yard.

I never had anything like this as a kid, as obviously the technology wasn’t there, but today it is. I am filled with a sense of awe of what children today will be achieving in 20-30 years with a foundation such as what is the norm today. Technology is amazing.