Awesome.

@Sean
The age of the digital wallet has come.
With all the passwords I’m collecting in mine I’ll likely be the first person to get lower back pain from a digital wallet.

@Chris w0w! Well that’s a whole lot worse than expected. I posted to lj_dev (thanks for the link), hopefully we can get someone at LJ to pay attention to this

From cgi-bin/ljlib.pl:


# Validate password
my $hashed = Digest::MD5::md5_hex($chal . Digest::MD5::md5_hex($pass));
if ($hashed eq $res) {
return 1;
} else {
LJ::handle_bad_login($u);
return 0;
}


You may want to make a post in the lj_dev community about this.

Yeah, keeping so many passwords seems difficult until you have a single secure login for your desktop which manages your password list for you.

Examples would be
GPass – The Gnome Password Manager
KWallet – The KDE Wallet Management System

As you well know, I’m a bit odd in that I refuse to sign up for any service that I won’t use all the time, so I only have 8 passwords to remember. 7 Individual important passwords, and one “this password sucks and if it is compromised I don’t care because it’s only used on sites I could care less about” password.

I’m really glad you’re moving on SiloSync, it’s going to be an invaluable tool in the days to come. I’m going to go home and make my blog SiloSync ready ASAP.

Joe: If the password hashes aren’t salted, you only have to generate the rainbow tables once in order to recover any number of passwords. The point of salting is that a cracker would have to generate a set of tables for each individual salt in the database. Alternatively, one could use a reduction function which accounts for the combined length of both the password and the salt when generating tables, but this would be computationally prohibitive for all but the shortest salts.

I wouldn’t go so far as to say they could hack into an account using just the knowledge of the password MD5.

I would :)… their challenge is just sent in the login form and is not special. The system you outlined is cool, but they don’t do anything fancy like this. The way I’m so sure is that I wrote a tool to login to LiveJournal through PHP as part of my soon-to-be-announced open-source project: SiloSync. Gimme your hash & I’ll demonstrate! :-D

Your suggestion about the simple salted hash is the best option in my humble opinion. Just create a random salt for every user, store it in the database, and use it as part of your hash.

After reading the rest of your post, I see what you mean. That would certainly be reasonable, especially if it was hard to cram bcrypt into your code-base.

This is why I use a different password for every login I have.

You’re smart. Dang that’s hard though, I think I only have 7 regularly used passwords & I consider myself fairly paranoid.