![Page 1: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/1.jpg)
Password Storage(And Attacking)
In PHP
Anthony Ferrara
![Page 2: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/2.jpg)
“Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break.”
- Bruce Schneier
![Page 3: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/3.jpg)
Github URL
Follow Along:
github.com/ircmaxell/password-bad-web-app
A "Bad Web App" - Has Known Vulnerabilities - Only Use For Education!!! - Requires only Apache + PHP - Has Composer Dependencies
![Page 4: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/4.jpg)
![Page 5: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/5.jpg)
Let's StartFrom The Beginning
![Page 6: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/6.jpg)
Plain-Text Storagegit checkout plaintext
Stores passwords in Plain-Text
What's wrong with this picture?
![Page 7: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/7.jpg)
Plain-Text Storage
What happens if we have a SQL-Injection Vulnerability?
localhost/sqli
Simulates:
?offset=0'+UNION+SELECT+*+FROM+users
![Page 8: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/8.jpg)
![Page 9: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/9.jpg)
Plain-Text Storage
Problem!
Any attack vector results in leakage of ALL credentials!
![Page 10: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/10.jpg)
We Can Do Better
![Page 11: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/11.jpg)
MD5git checkout md5
Uses the MD5 Cryptographic Hash function.
md5($password)
hash('md5', $password)
![Page 12: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/12.jpg)
Wait,What Is A Hash?
![Page 13: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/13.jpg)
![Page 14: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/14.jpg)
What's A Cryptographic Hash?
Like a fingerprint.
One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
![Page 15: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/15.jpg)
MD5
What's the problem now?
SQL-Injection still gives us hash
But the hash is one-way, how can we attack it?
![Page 16: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/16.jpg)
![Page 17: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/17.jpg)
Enter:Lookup Tables
![Page 18: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/18.jpg)
![Page 19: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/19.jpg)
Lookup Table
Google is a great example
Maps hash to password directly
Database Table:hash | password--------------+-----------"5f4dcc3b..." | "password""acbd18db..." | "foo"
![Page 20: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/20.jpg)
Lookup Table
Lookups are CPU efficient.
Require a LOT of storage space - (Very space inefficient)
All passwords <= 7 chars (95^7, 70 Trillion)Requires 1.5 PetaBytes - In Most Optimal Storage Format
![Page 21: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/21.jpg)
We Can Do Better
![Page 22: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/22.jpg)
Lookup Table
Password
Hash
a4fef...
![Page 23: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/23.jpg)
Rainbow Table
Seed
Hash
Reduce
Hash
a4fef...
Reduce
NewPassword
b741...
![Page 24: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/24.jpg)
Chained Table
Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
![Page 25: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/25.jpg)
Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 4 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 5 Hash Reduce Hash Reduce Hash Reduce Hash
Seed 6 Hash Reduce Hash Reduce Hash Reduce Hash
![Page 26: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/26.jpg)
Using A Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash
a4fef...
b741...
b741...
b741...
![Page 27: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/27.jpg)
Using A Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash
a4fef...
b741...
b741...
b741...
![Page 28: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/28.jpg)
Using A Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash
a4fef...
b741...
b741...
b741...
Reduce Hash
![Page 29: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/29.jpg)
Using A Rainbow Table
Seed 1 Hash Reduce Hash Reduce Hash
Seed 2 Hash Reduce Hash Reduce Hash
Seed 3 Hash Reduce Hash Reduce Hash
a4fef...
b741...
b741...
b741...
Reduce Hash
ReduceHash
![Page 30: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/30.jpg)
Rainbow Table
Time/Space Tradeoff - Slower than a Lookup Table - Uses Much less storage
Most (99.9%) passwords <= 7 charsRequires only 64 GB - Chain length of 71,000
![Page 31: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/31.jpg)
Defense!
![Page 32: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/32.jpg)
![Page 33: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/33.jpg)
Salted MD5git checkout salted-md5
Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.
md5($salt . $password)
hash('md5', $salt . $password)
![Page 34: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/34.jpg)
Salts
Must be unique! - Per Hash - Globally
Should be random - Strong!!! - Reasonably long (at least 64 bits)
![Page 35: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/35.jpg)
Salted MD5
What's the problem now?
SQL-Injection still gives us hash - And the salt
But the salt defeats rainbow tables...
![Page 36: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/36.jpg)
![Page 37: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/37.jpg)
Can Anyone See The Problem?
![Page 38: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/38.jpg)
What's A Cryptographic Hash?
Like a fingerprint.
One-way. - Easy and efficient to compute - Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
![Page 39: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/39.jpg)
What's A Cryptographic Hash?
Like a fingerprint.
One-way.
- Easy and efficient to compute
- Very inefficient to reverse - (Practically impossible) - Very hard to create collision - (new input with same output)
![Page 40: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/40.jpg)
Hash FunctionsAre Made To Be
FAST
![Page 41: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/41.jpg)
Brute Forcing
Several Tools Available - John The Ripper - OCIHashCat
A Lot Faster Than You May Think
![Page 42: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/42.jpg)
Brute Forcing
Multiple Ways To Attack - Mask Based (permutations) - Dictionary Based - Combinator Based - Combinations of dictionary words - Fingerprint Based - Combinators applied with permutations - Rule Based - Takes input password and transforms it
![Page 43: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/43.jpg)
Brute ForcingSalted MD5
2012 Macbook Pro: - md5: 33 million per second - sha256: 20 million per second
Mask Attack:6 char passwords: 5 hours7 char passwords: 22 daysEntire English Language: 1.8 seconds"LEET" Permutations: 1 hour
![Page 44: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/44.jpg)
We Can Do Better
![Page 45: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/45.jpg)
![Page 46: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/46.jpg)
Brute ForcingSalted MD5
25 GPU Cluster - md5: 180 Billion per second - < US$50,000
6 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language:"LEET" Permutations:
![Page 47: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/47.jpg)
Brute ForcingSalted MD5
25 GPU Cluster - md5: 180 Billion per second - < US$50,000
6 char passwords: 4 seconds7 char passwords: 6 minutes8 char passwords: 10 hoursEntire English Language: yeah..."LEET" Permutations: 0.7 seconds
![Page 48: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/48.jpg)
But Wait,I Thought MD5 Was Broken?
![Page 49: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/49.jpg)
MD5 IS Broken!
But No Other Primitive Hash Is Not!!!
sha1≈ md5 sha256 ≈ md5sha512 ≈ md5whirlpool ≈ md5
ALL raw primitive hashes are broken for password storage.
![Page 50: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/50.jpg)
So, How Can We Combat Such
Hardware?
![Page 51: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/51.jpg)
Iterated MD5git checkout iterated-md5
Uses the MD5 Cryptographic Hash function.But adds a random salt UNIQUE per user.And iterates a lot of times
do { $h = md5($h . $salt . $password)} while($i++ < 1000);
![Page 52: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/52.jpg)
We're Intentionally
Slowing It Down
![Page 53: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/53.jpg)
Brute ForcingIterated MD5
25 GPU Cluster - md5: 70 million per second
6 char passwords: 17 minutes7 char passwords: 1 day8 char passwords: 124 days
Entire English Language: 0.8 seconds
![Page 54: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/54.jpg)
We Can Do Better
![Page 55: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/55.jpg)
PBKDF2git checkout pbkdf2
Uses the standard PBKDF2 algo - With SHA512 primitive
Slower, and harder to use on GPU
pbkdf2($pass, $salt, 10000, 40)
![Page 56: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/56.jpg)
![Page 57: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/57.jpg)
Brute ForcingPBKDF2
25 GPU Cluster - PBKDF2(sha512): 300,000 per second
6 char passwords: 28 days7 char passwords: 7 years8 char passwords: 700 years
Entire English Language: 3 minutes
![Page 58: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/58.jpg)
We Can StillDo Better
![Page 59: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/59.jpg)
BCryptgit checkout bcrypt
Uses the standard BCrypt algo - based on Blowfish cipher
Same execution time,Much harder to run on GPU
crypt $2a$
![Page 60: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/60.jpg)
![Page 61: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/61.jpg)
Brute ForcingBCrypt
25 GPU Cluster - BCrypt: 70,000 per second
6 char passwords: 120 days7 char passwords: 31 years8 char passwords: 3000 years
Entire English Language: 14 minutes
![Page 62: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/62.jpg)
A Note On Cost
BCrypt accepts a "cost" parameter
Must be tuned per server! - Target about 0.1 to 0.25 second runtime - Cost of 10 is a good baseline - Cost of 11 or 12 is better - Only if you have good hardware.
![Page 63: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/63.jpg)
PHP 5.5 Password Hashing APIgit checkout password-compat
A thin wrapper over crypt() - Simplifies implmentation - Strong random salt generation - Can specify cost as int option
password_hash($pass, $algo, [$opts])password_verify($pass, $hash)
github.com/ircmaxell/password_compat
![Page 64: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/64.jpg)
We Can DoEven Better!
![Page 65: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/65.jpg)
Let's Encrypt As Well!
![Page 66: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/66.jpg)
Encrypted BCryptgit checkout bcrypt-with-encryption
Hash with BCrypt,Then encrypt result with AES-128.
Requires key storage for the app. - Not trivial
Use only if needed! - BCrypt alone is typically sufficient
![Page 67: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/67.jpg)
![Page 68: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/68.jpg)
Brute ForcingEncrypted BCrypt
Attack requires low level server compromise! - SQL Injection is not enough!
localhost/codeinject - Simulates code injection that reads source
Any low level compromiseIs No Worse than raw BCrypt - BCrypt is the baseline.
![Page 69: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/69.jpg)
![Page 70: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/70.jpg)
The Future
![Page 71: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/71.jpg)
The Future
scrypt - Sequential Memory Hard - Uses a LOT of memory (> 4mb / hash) - MUCH Harder to brute-force than bcrypt
- IFF setup correctly
![Page 72: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/72.jpg)
The Future
Password Hashing Competition - Currently being setup - Aims to pick "standard" password hashing algorithm - A community effort
![Page 73: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/73.jpg)
The Future
Brute Forcing Word Lists - Complex combinations of words - "horse correct battery staple"
Brute Forcing Grammar - "I don't want no cookies"
Brute Forcing Structures - URLs, Email Addresses, URLs, etc
![Page 74: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/74.jpg)
“Few false ideas have more firmly gripped the minds of so many intelligent men than the one that, if they just tried, they could invent a cipher that no one could break.”
- David Kahn
![Page 75: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/75.jpg)
A Note On Protecting
Yourself
![Page 76: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/76.jpg)
xkcd.com/936/
![Page 77: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/77.jpg)
xkcd.com/936/BAD ADVICE
![Page 78: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/78.jpg)
Use True Random Passwords
![Page 79: Password Storage And Attacking In PHP - PHP Argentina](https://reader030.vdocuments.us/reader030/viewer/2022032420/55a58a071a28abd4138b465a/html5/thumbnails/79.jpg)
Use A Password Manager