Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[G-Flex]

Storing passwords themselves instead of their hashes seems like a terrible idea to begin with when you're such a high-profile target.

That doesn't really matter. If you get to the password and know what type of hash is being used, it's easy to reveng a string to generate the same hash and match the password. It's a problem with these lazy days of webservice and integration.

That's why you salt hashes and also incorporate software-level secrets (inaccessible to someone who just has account data) as part of it.

[Virex]

Nono, there was one that was a simple SQL injection any non-hacker douche can do.

It's really bad.

It's not about what you have to do, any monkey can type in some commands. It's about knowing what to do. Though if it was really glaringly obvious then I'll concede my point, but usually it takes hackers some time to find the vulnerabilities in a system. That's why I thought they got a tip about where to look.

[Soulwynd]

Storing passwords themselves instead of their hashes seems like a terrible idea to begin with when you're such a high-profile target.

That doesn't really matter. If you get to the password and know what type of hash is being used, it's easy to reveng a string to generate the same hash and match the password. It's a problem with these lazy days of webservice and integration.

That's why you salt hashes and also incorporate software-level secrets (inaccessible to someone who just has account data) as part of it.

Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.

Though if it was really glaringly obvious then I'll concede my point, but usually it takes hackers some time to find the vulnerabilities in a system. That's why I thought they got a tip about where to look.

Yeah, it was something you can learn how to do from this wikipedia page:
http://en.wikipedia.org/wiki/SQL_injection

Or download assorted programs that do it for you. Like... Not even hacker made programs... Programs meant to test the security of your website.

[lordcooper]

Seriously, SQL injection was taught in my comp at GCSE level.  It's the first thing any hacker or even a spotty kid with his first laptop would think to try.

[head]

Yea..so..bad..

[alway]

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.

[Fayrik]

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.

Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.

[G-Flex]

Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.

That's kind of my point, though. Everybody is railing against Sony here, and for good enough reason, but the common state of affairs for other companies probably isn't much better, if it's better at all.

[Xgamer4]

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.

Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.

Easier than that. Assuming you're using PHP, which is a safe bet, just send anything that's going into a database through mysql_real_escape_string() first.
http://php.net/manual/en/function.mysql-real-escape-string.php

[dogstile]

Or use your own encryption code. Even adding a simple "hashed pass = hash(password + 'abcd')" to your php code will make it more difficult to reveng the password from a hash.

But most likely, whatever place you go to only uses a simple hash to protect your password.

That's kind of my point, though. Everybody is railing against Sony here, and for good enough reason, but the common state of affairs for other companies probably isn't much better, if it's better at all.

I've bolded the important part.

We don't know how bad other companies is. We do however, know Sony's is shit. So we'll rail on them until they get better security, and other companies will hopefully follow their example.

Besides, even if you're just as shit as everyone else, you're still shit.

[G-Flex]

You're right; for the most part, we don't know. However, we can't assume they're better. We have very little assurance from any company we deal with that their own security is up to par, and that's really, really bad these days, when people's accounts are linked to so much personal information, whether it's private registration info (like in these cases) or what content they actually have on the web associated with them. The point I'm making is that you just can't trust anyone too much, and I've seen enough examples of absolutely atrocious security to assume very little from anyone.

[Soulwynd]

And that's why you make a facebook account. So you can show all your personal information to the world and then not worry if they will get it from another site.

[devek]

And IIRC, all it takes to prevent it is putting an if statement checking whether the query should be performed by checking against a list of permissible actions. I would say it's hacking 101, but it really isn't even a 100 level course.

Actually no. There's a faster, more efficient way. Basically you have the program replace all ' characters with \' and all \ characters with \\. (The latter first, naturally, or you're undoing your own work.)
Over all, that's one line of code. That's all it takes.

Easier than that. Assuming you're using PHP, which is a safe bet, just send anything that's going into a database through mysql_real_escape_string() first.
http://php.net/manual/en/function.mysql-real-escape-string.php

If you're writing something commercial, you are not using mysql.

A real database will have, at the least, compiled sql statements. Injection simply isn't possible.

[Fayrik]

If you're writing something commercial, you are not using mysql.

A real database will have, at the least, compiled sql statements. Injection simply isn't possible.

I hate to sound whiny, but all the good open source projects use MySQL (or the really good ones use any SQL.)
But I have to agree, compiled SQL statements are much better.

[devek]

You're not using an open source project to serve 70 million customers.