Friday, January 21, 2011

Psuedo Password Encryption

You simply use 'echo -n "" | md5sum' which simply sucks. If someone uses your terminal, they can check the history and you are gone.

Another thing to note, hashing password is NOT ENCRYPTION. Encryption uses an unknown factor called a key (layman term: a password or passphrase) !

You can also make a rainbow table or in simple terms, md5 hash all the possible passwords into a table and then match the hash and see which one matches and that's the password.

What happen if you simply clean out the history of your terminal / command line ? Doesn't that mean you are done and you need to click on the 'Forget Password' link ?

Please don't use such disingenius way of 'protecting password'. Use a proper password manager that uses properly implemented cryptographic ciphers that are true and tested to withstand attacks like the AES finalists: Rijndael, Serpent and Twofish.

Hashing is always a bad way to store password. Encrypt the password with a master password is always the way to go using a properly implemented cryptographic Password Manager.

A password manager I made: PasswordStore.

No comments: