1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

HTTPS on the ContractorUK

Collapse
X
51 to 60 of 73 Previous 1 3 4 5 6 7 8 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
51 to 60 of 73 Previous 1 3 4 5 6 7 8 template Next
    #51
    Originally posted by woohoo View Post
    The passwords are encrypted client side(md5) and the hashed password is sent to the server in plain text.
    Okay, I looked at the form. That's true. What a weird practice.

    Originally posted by eek View Post
    The drip feeding of information to the point that people say enough that they become identifiable is nothing new. But that is actually a reason to do slightly more to protect users rather than less.

    It is, however, irrelevant to the reason why ssl is being introduced - which is more about intermediate steps injecting information and adverts into the request
    Hashes are used for validation but they don't always have to be the same. Bcrypt doesn't generate the same hash for the same input, but they can be validated against each other.
    Last edited by fool; 28 November 2017, 08:47.

    Comment

      #52
      Originally posted by eek View Post
      Hashing a password is not encryption, encryption means you encrypt something that can later be decrypted, hashing is more a validation check, the string x (assuming a salt that is consistent) will always generate the same hash code y. This ensures that the database does not store the plain text password.
      I know how md5 works, just sloppy use of the word encrypt.

      Comment

        #53
        Originally posted by fool View Post
        Okay, I looked at the form. That's true. What a weird practice.
        That’s fairly standard nowadays (in both forum and Wordpress software) as it’s a means of ensuring the unhashed password isn’t sent unless absolutely necessary - downside is that the salt will be visible somewhere unless the hash is based on just username and password
        merely at clientco for the entertainment

        Comment

          #54
          Originally posted by woohoo View Post
          I know how md5 works, just sloppy use of the word encrypt.
          When trying to win points don’t provide a means of atack.

          I’m an equally opportunity attacker - I’m happy to attack anyone who seem (even accidentally) to know less than they claim to
          merely at clientco for the entertainment

          Comment

            #55
            Originally posted by eek View Post
            When trying to win points don’t provide a means of atack.

            I’m an equally opportunity attacker - I’m happy to attack anyone who seem (even accidentally) to know less than they claim to
            That's the wrong way to look at it. I'm happy if I learn something new and if someone was to give me a valid reason for not using SSL on this website, then I would say I'm wrong and be a bit wiser.

            Comment

              #56
              Originally posted by eek View Post
              That’s fairly standard nowadays (in both forum and Wordpress software) as it’s a means of ensuring the unhashed password isn’t sent unless absolutely necessary - downside is that the salt will be visible somewhere unless the hash is based on just username and password
              I still think it's weird because it seems somewhat pointless.

              It looks like a concatenation of itself 3 times, one of which is the hash, hashed with md5. The problem is once you know what it's doing, which you can figure out by reading the client side code, you can generate a rainbow table pretty quickly using md5.

              Only those with increasingly long and/or estoric passwords would really have any level of protection. If it were PBKDF2, bcrypt, scrypt or something along those lines, I could see it adding value, but even then once single a hashed is leaked, we assume it's compromised. Hashing is only really buying you time until it's cracked and that time is supposed to be used to rotate.

              Still, interesting to know people are doing this... Also, transport security isn't just about auth. I know you know this, the others evidently don't.
              Last edited by fool; 28 November 2017, 09:08.

              Comment

                #57
                Originally posted by fool View Post
                Okay, I looked at the form. That's true. What a weird practice.
                I agree it's a bit weird.
                Last edited by woohoo; 28 November 2017, 09:11.

                Comment

                  #58
                  Originally posted by woohoo View Post
                  That's the wrong way to look at it. I'm happy if I learn something new and if someone was to give me a valid reason for not using SSL on this website, then I would say I'm wrong and be a bit wiser.
                  Okay, so we don't want SSL. We want TLS, preferably 1.2. ;]

                  Comment

                    #59
                    Originally posted by fool View Post
                    Okay, so we don't want SSL. We want TLS, preferably 1.2. ;]
                    hah, yes.

                    Comment

                      #60
                      Job done. Been on our minds to sort SSL out here for quite a while so thanks for the nudge Got a wildcard cert as making some changes to the front end of the site very soon and need to do www forum and ads sub domains. Fingers crossed will be able to redo the forum soon as well. One thing at a time though...

                      Comment

                      Reply to Thread
                      51 to 60 of 73 Previous 1 3 4 5 6 7 8 template Next

                      Advertisers

                      1. Contracting
                        1. General
                          1. Brexit
                        2. Business / Contracts
                          1. Coronavirus Assistance
                        3. Accounting / Legal
                          1. Umbrella Companies
                          2. HMRC Scheme Enquiries
                          3. The Future of Contracting
                          4. IR35 Reform
                        4. Technical
                        5. Welcome / FAQs
                      2. Social
                        1. Light Relief
                        2. Social / Events
                      Working...
                      X