How secure?

1

I have an admin section on my site which is made in flash and when checking the entered password it simply sends it to a php script which pulls out the password form a mysql server and compares the two values.

I wonder how secure this is, is it possible for someone else to get a hold of my password very easily???

2

Flash SWF’s are easily decompiled. I’m no expert on this, but I know that it can be done. I would think that someone could decompile your movie, get the string that pulls the password, and pull it themselves.

3

Ditto. All they have to look at is the AS of the file and somehow queue’s the script to get your password.

4

Is the stored password encrypted or is it plaintext?

5

Even if it’s hashed by MD5, it’s still decryptable. I once did it to a 6 character password in an hour or so. If it does use MD5, make your password 12 characters+ long.

6

What is MD5??? =/
And i guess it’s encrypted…this is how i put it into mySQL

INSERT INTO mytable VALUES(PASSWORD(‘mypass’));

well it looiks encrypted at least…

but how are they going to get hold of my password with the AS of my flash file…i mean the pass isnt coded instide the AS. I get it through a php file which gets it from the mySQL table…

The only thing they’ll get with the AS is the php file i load when i verify the password…

and again…what is md5???

thx for your replies

7

No, it’s not possible to get your password thru decompiling the swf. And they won’t be able to see your php source code, so there’s no need to worry.

8

*Originally posted by Phat7 *
**No, it’s not possible to get your password thru decompiling the swf. And they won’t be able to see your php source code, so there’s no need to worry. **
Possible, just not easy. You really dont need to worry tho. I mean, if you are just making a personal site or something like that then there really is no need to worry about tight security. People are only going to try to hack your site if they think they can make money off of it or something like that. Your site should be fine.

md5 is an undecodable hash encryption for passwords and sensitive data. Basically its like this:


<?

$string = "monkey";
$pass = md5($string);

echo $pass;

?>

and that will give you a hash string that looks just like random letters and numbers put together. Different strings can have the same hash values, but its unlikely. Its a good way to store passwords…

9

just for reference, a 10 digit password which consists of both letters and numbers and in which the letters are both upper and lower case and which follow some patterns some times and none others will take a lot longer than an hour to decrypt. A typical password that I might invent would be something like

aaT3zCCC67

now something like that will even take the FBI a while to crack.

I think 15 digits in such a manner is supposed to take 100 years on the FBI’s current equipment… though I’m not 100% on that. Either way… it’s a good habit to get into. Maybe you wont be able to memorize it, but when you’re talking security that’s a good thing.

10

yeah the difference between a 6 digit pass and a 7 digit pass is something like a 14 days. And I think I read that thing about 100 days on FBIs equipment… although that could just be propaganda put out by big brother… :wink:

11

vash, how would you use that?

like to check to see if the password is the same, would you just check if the unencrypted one equals the string? Or…?

12

although that could just be propaganda put out by big brother

you might be right Jubba but I think I read it in a book by a prominant hacker who, now that he’s out of jail, works securing company sites.

Of course he could have been talking about 70’s tech too. :slight_smile:

either way… the more digits you add, the more you compound the amount of time it takes to decompile it… so the best bet I suppose would be to go with a 30 digit pass. (man wouldn’t that be a pain in the butt to remember)

13

*Originally posted by Yeldarb *
**vash, how would you use that?

like to check to see if the password is the same, would you just check if the unencrypted one equals the string? Or…? **

you hash both strings and compare them.

MD5s are technically unencryptable, but it’s possible to de-hash them to make a string that will hash into a given value.

EDIT: just incase you’re curious, this program will take a given MD5 hash and ‘de-hash’ it… it seems to take quite a while tho :wink:

http://mdcrack.df.ru/nsindex2.html

14

*Originally posted by njs12345 *
**MD5s are technically unencryptable, but it’s possible to de-hash them to make a string that will hash into a given value.
**

right, but different strings have the same hash values so you aren’t 100% certain that you have the original string.