Seems like NickFitz was right - Telegraph hacked

**NickFitz** · 9 March 2009, 02:40

Passwords in the database as plain text?

FFS...

**BrilloPad** · 9 March 2009, 07:27

They should have employed NickFitz......

**DimPrawn** · 9 March 2009, 08:53

Today's headline

A PHP + MySql website in totally unsecure shock horror!

**EternalOptimist** · 9 March 2009, 09:46

question for Nick

am I right in saying that the client is used to encrypt/decrypt the pwd, and the result can be stored , say, as a varchar ?

if you can hear a funny noise, it's my @rse hole twisting

**OwlHoot** · 9 March 2009, 12:02

Originally posted by EternalOptimist View Post

question for Nick

am I right in saying that the client is used to encrypt/decrypt the pwd, and the result can be stored , say, as a varchar ?

if you can hear a funny noise, it's my @rse hole twisting

The usual practice is to store only a hash (MD5 or SHA etc) of the password, and compare this with hashes (using the same scheme) of password attempts submitted by the client.

The chance of a hash collision with a different submitted string of reasonable length is so remote it can be ignored.

**BlightyBoy** · 9 March 2009, 13:05

Originally posted by OwlHoot View Post

The usual practice is to store only a hash (MD5 or SHA etc) of the password, and compare this with hashes (using the same scheme) of password attempts submitted by the client.

Yup. This is exactly how PIN numbers on your Chip & PIN card work. The encrpytion key and encrypted answer are stored on the Chip, but not the actual PIN number.

It's one of those mechanisms whereby you cannot reverse-engineer the "answer" to the "question" even if you have the encryption code.

**EternalOptimist** · 9 March 2009, 13:35

Originally posted by BlightyBoy View Post

Yup. This is exactly how PIN numbers on your Chip & PIN card work. The encrpytion key and encrypted answer are stored on the Chip, but not the actual PIN number.

It's one of those mechanisms whereby you cannot reverse-engineer the "answer" to the "question" even if you have the encryption code.

so what would a hash of 'password' look like, and can i store it in a varchar

(i am building a back end for some app devs- long story)

**DaveB** · 9 March 2009, 13:42

Originally posted by EternalOptimist View Post

so what would a hash of 'password' look like, and can i store it in a varchar

(i am building a back end for some app devs- long story)

An apparently random sequence of alphanumeric characters of variable length but with fixed bounds.

**EternalOptimist** · 9 March 2009, 13:46

Originally posted by DaveB View Post

An apparently random sequence of alphanumeric characters of variable length but with fixed bounds.

merci

Seems like NickFitz was right - Telegraph hacked