While looking into virtuemart source, I notice, that you guys generate passwords for order like that:
$_orderData->order_pass = 'p_'.substr( md5((string)time().$_orderData->order_number ), 0, 5);
Is is safe? I mean, if somebody knows the order number and knows the day, when order was created, it is only 86400 possible passwords! There are only 86400 seconds in a day. And that number will be lower, if approximate time of the order is known.
You need also to know the order_number, and the order number is also using a "password". But you are not completly wrong, why not just adding a rand.
86400 * X possibles ordernumbers = possible results or something so or not ?
All 2 are random numbers
IN brut force ou can always find a password. BUt in how many time?
Eg. If you have the Joomla loggin . How long to find the Password for an account in brute force ?
loggin : admin , password : 123 is valid in joomla
I'm not saying that it is an issue. It just looks a bit suspicious. And
probably in some situations somebody can guess the password, knowing only order number.
Quote from: Electrocity on May 02, 2012, 18:22:55 PM
All 2 are random numbers
Right now they are not random, they depend on each other. Add some random numbers and we are totally safe ;)
already done, as I said in my first answer