majority of passwords are not encrypted in the database!

scrfix

I decided to research the database and the code in order to fix the New Note crash error. While reviewing all of the database tables looking for the one that contains the new notes I found that the FTP Stored passwords, email stored passwords and pretty much anywhere that kept a password with the exception of the main sign in to the epesi were not encrypted. Anywhere that a password is stored should be stored in 256 bit AES encryption.

Wayne

ajb

Yes, it should be encrypted somehow and it will be. Now passwords are kept in plaintext and we know that's not good, but it's legacy from the first versions of our software.

You have to distinguish passwords stored for email accounts between user passwords to EPESI. User passwords are hashed and it's irreversible process - so you can't obtain password from database. When user is trying to login, then supplied password is hashed again and compared to the stored hash.

Email passwords have to be stored encrypted (not hashed) to use them when EPESI is logging to the email account.

Regards,
Adam

scrfix

What you have said is partially true. If you are using older hashing methods such as md5 hash then yes you have to compare hashes and you cannot decrypt however if you are using that method passwords are not safe anyway because that method of hashing. MD5 hashes have been stored in databases for years and some of these databases contain billions of hashes making MD5 not safe. If you are natively using php's sha1 method of encryption then that method can be decrypted however has been broken and cracked which also means that the level of protection is weak at best. PHPs mcrypt support has not been cracked as far as I am aware. It allows you to decrypt the passwords. It would take the current fastest super computers a billion billion years to crack. Now with that said I believe they did break that method however even with it broken experts say that it still take over a billion years to crack. Would you like a PHP encryption script that will allow you to encrypt and decrypt using mcrypt?

ajb

Like this? 🙂

[quote:2vipmy7j] If you are natively using php's sha1 method of encryption then that method can be decrypted however has been broken and cracked which also means that the level of protection is weak at best.[/quote:2vipmy7j]
sha1 is hashing algorithm - not encryption. Could you please explain what has been broken?

I am aware of md5 weakness.

Regards,
Adam

scrfix

Something close to that. One that is a little more in depth than that. It is similar however it doesn't require the key to be stored within the PHP file. Just glancing at the link it appears to use a blowfish algorithm which if memory serves right uses a reverse sequence to encrypt your data. I didn't do a lot of studying about blowfish when it was first introduced because of this. So such as if you have:

1234567890 It would then encrypt using something with the reverse sequence and a key provided in order to encrypt the data.

Something such as: 0987654321 + key

I could be wrong as it was a very long time ago that I read the article explaining how blowfish actually encrypts and frankly at that time it was a little over my head however I believe it was something similar to the above. Blowfish to my knowledge has never been broken or cracked even with its simplistic encryption method.

The encryption program I have uses the PHP mcrypt to encrypt using the AES256 algorithm with SALT added in to it. Otherwise it is similar to what you have shown.

I was under the impression that sha1 was an encryption and not a hash. Thanks for the clarification on that. I don't use SHA1. Either way SHA1 if you look it up is not a good way to store passwords since it can be easily decrypted.

Explanation of broken and cracked. (Does not apply to hashes)
When an encryption algorithm is considered broken it means that there has been a flaw found in the algorithm. This flaw doesn't mean that you can decrypt the data from the flaw. It merely means that there is something wrong with the algorithm. Example: AES256 has been broken but not cracked. What this means is that instead of it taking 1 billion billion years to decipher a password using that algorithm it will simply take over a billion years (or hundreds of millions of years) to crack the password.

When an encryption algorithm is considered cracked it means that the flaws that were found can be used to decipher the encrypted material without the encryption key. Someone successfully exploited the flaws found in the algorithm to decrypt encrypted data.

Hashing Alogrithms such as MD5 are easier to crack because of the MD5 hash databases out there. There are even articles on how to decrypt MD5 Encrypted Passwords with Salt.

Epesi ENS | Epesi Academy | epesi.cloud PaaS | GitHub

Help Me! | Download from SourceForge