News:

Looking for documentation? Take a look on our wiki

Main Menu

Is it safe to generate passwords like that?

Started by andrey, May 02, 2012, 13:59:18 PM

Previous topic - Next topic

andrey

While looking into virtuemart source, I notice, that you guys generate passwords for order like that:
$_orderData->order_pass = 'p_'.substr( md5((string)time().$_orderData->order_number ), 0, 5);

Is is safe? I mean, if somebody knows the order number and knows the day, when order was created, it is only 86400 possible passwords! There are only 86400 seconds in a day. And that number will be lower, if approximate time of the order is known.

Milbo

You need also to know the order_number, and the order number is also using a "password". But you are not completly wrong, why not just adding a rand.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

86400 * X possibles ordernumbers = possible results or something so or not ?
All 2 are random numbers
IN brut force ou can always find a password. BUt in how many time?
Eg. If you have the Joomla loggin . How long to find the Password for an account in brute force ?
loggin : admin , password : 123 is valid in joomla

andrey

I'm not saying that it is an issue. It just looks a bit suspicious. And probably in some situations somebody can guess the password, knowing only order number.
Quote from: Electrocity on May 02, 2012, 18:22:55 PM
All 2 are random numbers
Right now they are not random, they depend on each other. Add some random numbers and we are totally safe  ;)

Milbo

already done, as I said in my first answer
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/