Le Fri, 25 Aug 2017 10:29:04 +0200, Tobias Boege <tabo...@gmail.com> a
écrit:
First of all, don't reply to a message from the mailing list when you
want
to start a new topic. It's not enough to just change the subject line.
Write a brand new email instead. Both your questions about encryption
ended
up in the humongous thread about Gambas switching to Gitlab.
Now to your questions:
(1) Crypt does not operate with files. It takes an input password and
hashes it, returning the hash. It does just this one thing and leaves
storage to you -- because a hash function should not be concerned about
storage.
(2) In light of the answer to (1), you are ignoring the return value of
Crypt.MD5(). This return value is the password hash which you need to get
into a variable and use in a call to Crypt.Check(). Crypt.MD5() doesn't
magically associate a hashed version of "abcdefgh" with "xcodex".
(3) Here:
Public Sub Main()
Dim s As String
s = Crypt.MD5("secret", "salt5678")
Print s
Print Crypt.Check("test", s)
Print Crypt.Check("secret", s)
End
>> $1$salt5678$eRxLEhWQsIei43/wfY66J/
>> True
>> False
(4) You should have read the site about good password hashes I gave you
last time. It explicitly says that MD5 is NOT a good hash for passwords.
MD5 can be used for quick file integrity checks, not passwords.
Regards,
Tobi
I would like to put my two cents on this subject (although, disclaimer : I
am
not a professional in security).
First of all, the documentation of gb.crypt is completely wrong. As Tobias
says,
its methods have *nothing* to do with encryption : they only make hashes,
and NONE
of the hashing methods provided are suitable for hashing passwords, only
for
integrity checks (and even for that, MD5 is completely outdated, we
recently
found some collisions for SHA-1, and I don't know why DES is even there).
(I should probably go fix that documentation when I have some time,
actually.)
As for Tobias' code example, using a pre-defined salt for the hash is not
a good
idea : it only makes you more vulnerable to rainbow tables.
It is better to let gb.crypt choose a random salt, like this :
Public Sub Main()
Dim s As String
s = Crypt.MD5("secret")' Try 1
Print s
Print Crypt.Check("test", s)
Print Crypt.Check("secret", s)
s = Crypt.MD5("secret") 'Try 2, same password
Print s
Print Crypt.Check("test", s)
Print Crypt.Check("secret", s)
End
$1$7aSkjqOz$U5G4oets/2qDVJc9tXmml1
True
False
$1$RIh/RpJL$2PH3QOTo/81tqOFAxllh2.
True
False
Here, as you can see, the MD5 hashes differ even though we used the same
password, which is really useful if you want to store several passwords in
a database.
Although MD5 is still very bad for hashing passwords.
--
Adrien Prokopowicz
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
