Just read something interesting on Security.NL. According to Secunia Apple has made the worst of software lately, we could have guessed that. But the funny part is, that according to their report, “Google Chrome” is made by “Adobe” (page 14 in the PDF)… which is something I didn’t know.
Some time ago I still intended to write my own blog system, instead of using WordPress. I don’t think I ever will, but sometimes still feel the urge to do so, just for the fun of it.
Anyway, at that time I was thinking of some secure way to store passwords. With all the news around md5 and sha1 being ‘broken’, I thought I needed something different. And in all my limited knowledge of proper security I thought of something that seemed rather nice, but really is a bit stupid.
What I thought of using was a combination of both, not storing the sha1 of the password, because collisions were being found and such. But instead storing the md5 and sha1…
I guess by now any person with a bit of security experience would start laughing at me (if any such person is to ever read this post), because it has the exact opposite effect of what I was trying to achieve. Instead of adding security, I was removing it.
By storing both (how doesn’t really matter), one would only have to find a password with the correct md5 and then verify if the sha1 is valid as well… And we all know, finding a password with a valid md5 is much easier then finding one with a valid sha1.
There is something this can be used for I think, but not for adding security to encryption. What it can be used for is for validation of files and such. If you validate a file using both the md5 and sha1, you can be rather sure the file is (still) what it is supposed to be.
What I had in mind is difficult to fake but easy to break.
Recent Comments