create a md5 / md5 passwd with a salt

Discussion in 'Ruby' started by Peter Woodsky, Nov 20, 2008.

  1. Hi list

    This problem is so above me my head is swimming.

    I have a forum software that recently changed the way passwords were
    stored. I use a ruby script to update the user table when the user
    changes the password but my script no longer works so I hope someone
    here can help or point me in the right direction.

    The forum now uses this format for storing passwords md5(md5(PASSWORD) .
    salt) where previously it was md5(PASSWORD) which was pretty easy to
    deal with.

    This is what I used before:

    require 'cgi'
    cgi = CGI.new
    require 'digest/md5'
    user_pwd = hash_class.hexdigest("#{password}")
    end

    Like I said I hope someone has an idea or solution.

    Thanks in advance,
    Peter
    --
    Posted via http://www.ruby-forum.com/.
    Peter Woodsky, Nov 20, 2008
    #1
    1. Advertising

  2. Peter Woodsky

    Aaron Turner Guest

    On Thu, Nov 20, 2008 at 10:21 AM, Peter Woodsky <> wrote:
    > Hi list
    >
    > This problem is so above me my head is swimming.
    >
    > I have a forum software that recently changed the way passwords were
    > stored. I use a ruby script to update the user table when the user
    > changes the password but my script no longer works so I hope someone
    > here can help or point me in the right direction.
    >
    > The forum now uses this format for storing passwords md5(md5(PASSWORD) .
    > salt) where previously it was md5(PASSWORD) which was pretty easy to
    > deal with.
    >
    > This is what I used before:
    >
    > require 'cgi'
    > cgi = CGI.new
    > require 'digest/md5'
    > user_pwd = hash_class.hexdigest("#{password}")
    > end



    user_pwd = Digest::MD5.hexdigest(Digest::MD5.hexdigest(password) + salt)

    I will point out this though: for this to work, somewhere you need to
    store the PLAIN TEXT salt in the DB. Usually this is done by
    pre-pending the salt to the hashed pasword like this:

    user_pwd = salt + Digest::MD5.hexdigest(Digest::MD5.hexdigest(password) + salt)

    Or it might be stored in another field in the DB. That way when the
    user logs in, you can use the salt again to test to see if the hashes
    match.



    --
    Aaron Turner
    http://synfin.net/
    http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
    They that can give up essential liberty to obtain a little temporary
    safety deserve neither liberty nor safety. -- Benjamin Franklin
    Aaron Turner, Nov 20, 2008
    #2
    1. Advertising

  3. Peter Woodsky wrote:
    > The forum now uses this format for storing passwords md5(md5(PASSWORD) .
    > salt) where previously it was md5(PASSWORD) which was pretty easy to
    > deal with.


    You should give an example of a password, a salt, and the expected
    output. That's not any "standard" way of hashing an output that I've
    seen.

    Is the inner md5() function producing a binary output (16 bytes) or hex
    (32 characters)? Or something else, e.g. base64 (24 characters)?

    Anyway, it'll be easy enough to code if you know what you're looking
    for. You can test if you're doing it right in irb.

    Example: I've arbitarily chosen inner md5 is binary, outer MD5 is hex:

    irb(main):001:0> require 'digest/md5'
    => true
    irb(main):002:0> Digest::MD5.digest("hello")
    => "]A@*\274K*v\271q\235\221\020\027\305\222"
    irb(main):003:0> Digest::MD5.digest("hello") + "mysalt"
    => "]A@*\274K*v\271q\235\221\020\027\305\222mysalt"
    irb(main):004:0> Digest::MD5.hexdigest(Digest::MD5.digest("hello") +
    "mysalt")
    => "263058590f9387d91f98266a832fabaf"
    --
    Posted via http://www.ruby-forum.com/.
    Brian Candler, Nov 20, 2008
    #3
  4. Brian Candler wrote:
    > Peter Woodsky wrote:
    >> The forum now uses this format for storing passwords md5(md5(PASSWORD) .
    >> salt) where previously it was md5(PASSWORD) which was pretty easy to
    >> deal with.

    >
    > You should give an example of a password, a salt, and the expected
    > output. That's not any "standard" way of hashing an output that I've
    > seen.
    >
    > Is the inner md5() function producing a binary output (16 bytes) or hex
    > (32 characters)? Or something else, e.g. base64 (24 characters)?
    >
    > Anyway, it'll be easy enough to code if you know what you're looking
    > for. You can test if you're doing it right in irb.
    >
    > Example: I've arbitarily chosen inner md5 is binary, outer MD5 is hex:
    >
    > irb(main):001:0> require 'digest/md5'
    > => true
    > irb(main):002:0> Digest::MD5.digest("hello")
    > => "]A@*\274K*v\271q\235\221\020\027\305\222"
    > irb(main):003:0> Digest::MD5.digest("hello") + "mysalt"
    > => "]A@*\274K*v\271q\235\221\020\027\305\222mysalt"
    > irb(main):004:0> Digest::MD5.hexdigest(Digest::MD5.digest("hello") +
    > "mysalt")
    > => "263058590f9387d91f98266a832fabaf"


    From the first solution given it works as it should. All that was
    required was "" for the vars password and salt.

    md5_w_salt = Digest::MD5.hexdigest(Digest::MD5.hexdigest("#{password}")
    + "#{row[0]}")

    Thanks again!
    --
    Posted via http://www.ruby-forum.com/.
    Peter Woodsky, Nov 20, 2008
    #4
  5. Peter Woodsky wrote:
    > From the first solution given it works as it should. All that was
    > required was "" for the vars password and salt.
    >
    > md5_w_salt = Digest::MD5.hexdigest(Digest::MD5.hexdigest("#{password}")
    > + "#{row[0]}")


    Glad it works. Note that if password and row[0] are Strings, you should
    not need to wrap them in "#{..}" since you are just interpolating a
    String into another String.
    --
    Posted via http://www.ruby-forum.com/.
    Brian Candler, Nov 20, 2008
    #5
  6. Peter Woodsky

    Greg Donald Guest

    Greg Donald, Nov 20, 2008
    #6
  7. Greg Donald wrote:
    > On Thu, Nov 20, 2008 at 12:21 PM, Peter Woodsky <>
    > wrote:
    >> require 'digest/md5'

    >
    > MD5 is no longer secure:
    >
    > http://www.google.com/search?q=md5 broken
    >
    >
    > There are a number of MD5 lookup dictionaries already online for a
    > couple years now, for example:
    >
    > http://gdataonline.com/seekhash.php
    > http://passcracking.com/


    I think you're confusing two things.

    1. MD5 has been broken, in the sense that you can make two versions of a
    document with the same MD5 hash

    2. You can have lookup dictionaries for hashes. However the same could
    be done for SHA1 or any other hash, and does not depend on (1).

    But in any case:

    * the OP's algorithm has a salt. If well chosen (random and long
    enough), this should eliminate the dictionary attack. (It would be
    better if it were a HMAC construction though)

    * the OP seems to have no choice in the algorithm to use anyway

    * the OP wasn't asking for security advice :)
    --
    Posted via http://www.ruby-forum.com/.
    Brian Candler, Nov 21, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=

    Speech Web Application using SALT

    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=, Dec 31, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    366
    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=
    Dec 31, 2003
  2. =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=

    Speech Apllication using SALT

    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=, Jan 2, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    357
    =?Utf-8?B?U2F0ZWVzaCBLdW1hciBFIEM=?=
    Jan 2, 2004
  3. Mark Olbert

    Default AES Salt in ASPNET2 Site

    Mark Olbert, Feb 23, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    435
    Mark Olbert
    Feb 23, 2006
  4. ClaudiaE
    Replies:
    1
    Views:
    579
    Hans Granqvist
    Dec 3, 2003
  5. Florian Lindner

    Generating salt for crypt

    Florian Lindner, Mar 3, 2004, in forum: Python
    Replies:
    1
    Views:
    410
    Dietrich Epp
    Mar 6, 2004
Loading...

Share This Page