1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Reply to: Seems like NickFitz was right - Telegraph hacked

Collapse

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

  • You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
  • You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
  • If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Previously on "Seems like NickFitz was right - Telegraph hacked"

Collapse
  • BlightyBoy
    replied
    Originally posted by DaveB View Post
    An apparently random sequence of alphanumeric characters of variable length but with fixed bounds.
    Actually, that depends...

    If you use SHA or MD5, then DaveB is correct. However, I have implemented an encryption algorithm that produces a 32-bit unsigned integral number. This is particularly useful for either a) doing faster numeric, rather than textual comparisons, and b) using the "hashed" value of a alpha-numeric (text) as a key value in a binary search tree.

    Leave a comment:

  • EternalOptimist
    replied
    Originally posted by DaveB View Post
    An apparently random sequence of alphanumeric characters of variable length but with fixed bounds.
    merci

    Leave a comment:

  • DaveB
    replied
    Originally posted by EternalOptimist View Post
    so what would a hash of 'password' look like, and can i store it in a varchar

    (i am building a back end for some app devs- long story)


    An apparently random sequence of alphanumeric characters of variable length but with fixed bounds.

    Leave a comment:

  • EternalOptimist
    replied
    Originally posted by BlightyBoy View Post
    Yup. This is exactly how PIN numbers on your Chip & PIN card work. The encrpytion key and encrypted answer are stored on the Chip, but not the actual PIN number.

    It's one of those mechanisms whereby you cannot reverse-engineer the "answer" to the "question" even if you have the encryption code.
    so what would a hash of 'password' look like, and can i store it in a varchar

    (i am building a back end for some app devs- long story)


    Leave a comment:

  • BlightyBoy
    replied
    Originally posted by OwlHoot View Post
    The usual practice is to store only a hash (MD5 or SHA etc) of the password, and compare this with hashes (using the same scheme) of password attempts submitted by the client.
    Yup. This is exactly how PIN numbers on your Chip & PIN card work. The encrpytion key and encrypted answer are stored on the Chip, but not the actual PIN number.

    It's one of those mechanisms whereby you cannot reverse-engineer the "answer" to the "question" even if you have the encryption code.

    Leave a comment:

  • OwlHoot
    replied
    Originally posted by EternalOptimist View Post
    question for Nick

    am I right in saying that the client is used to encrypt/decrypt the pwd, and the result can be stored , say, as a varchar ?


    if you can hear a funny noise, it's my @rse hole twisting


    The usual practice is to store only a hash (MD5 or SHA etc) of the password, and compare this with hashes (using the same scheme) of password attempts submitted by the client.

    The chance of a hash collision with a different submitted string of reasonable length is so remote it can be ignored.

    Leave a comment:

  • EternalOptimist
    replied
    question for Nick

    am I right in saying that the client is used to encrypt/decrypt the pwd, and the result can be stored , say, as a varchar ?


    if you can hear a funny noise, it's my @rse hole twisting


    Leave a comment:

  • DimPrawn
    replied
    Today's headline

    A PHP + MySql website in totally unsecure shock horror!


    Leave a comment:

  • BrilloPad
    replied
    They should have employed NickFitz......

    Leave a comment:

  • NickFitz
    replied
    Passwords in the database as plain text?

    FFS...

    Leave a comment:

  • OwlHoot
    started a topic Seems like NickFitz was right - Telegraph hacked

    Seems like NickFitz was right - Telegraph hacked

    Someone in their IT department is for the high jump, following an SQL injection exploit.

    Story (discussion by the hackers themselves actually) here and another article here.

    It's almost unbelievable that anyone these days would neglect to properly encode client-derived strings in SQL statements.
    Last edited by OwlHoot; 9 March 2009, 01:35.
    Tags: None

Advertisers

  1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
Working...
X