Author Topic: Is it safe to generate passwords like that?  (Read 1832 times)

andrey

  • Beginner
  • *
  • Posts: 16
Is it safe to generate passwords like that?
« on: May 02, 2012, 13:59:18 pm »
While looking into virtuemart source, I notice, that you guys generate passwords for order like that:
Code: [Select]
$_orderData->order_pass = 'p_'.substr( md5((string)time().$_orderData->order_number ), 0, 5);
Is is safe? I mean, if somebody knows the order number and knows the day, when order was created, it is only 86400 possible passwords! There are only 86400 seconds in a day. And that number will be lower, if approximate time of the order is known.

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10070
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Is it safe to generate passwords like that?
« Reply #1 on: May 02, 2012, 17:01:10 pm »
You need also to know the order_number, and the order number is also using a "password". But you are not completly wrong, why not just adding a rand.
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

  • Contributing Developer
  • Sr. Member
  • *
  • Posts: 4347
  • Joomla & Virtuemart developper
    • Studio 42 - Virtuemart & Joomla extentions
  • VirtueMart Version: 2.6 & 3
Re: Is it safe to generate passwords like that?
« Reply #2 on: May 02, 2012, 18:22:55 pm »
86400 * X possibles ordernumbers = possible results or something so or not ?
All 2 are random numbers
IN brut force ou can always find a password. BUt in how many time?
Eg. If you have the Joomla loggin . How long to find the Password for an account in brute force ?
loggin : admin , password : 123 is valid in joomla

andrey

  • Beginner
  • *
  • Posts: 16
Re: Is it safe to generate passwords like that?
« Reply #3 on: May 03, 2012, 06:35:36 am »
I'm not saying that it is an issue. It just looks a bit suspicious. And probably in some situations somebody can guess the password, knowing only order number.
All 2 are random numbers
Right now they are not random, they depend on each other. Add some random numbers and we are totally safe  ;)

Milbo

  • Virtuemart Projectleader
  • Administrator
  • Super Hero
  • *
  • Posts: 10070
  • VM3.2 Cached and Optimized
    • VM3 Extensions
  • VirtueMart Version: VirtueMart 3 on joomla 3
Re: Is it safe to generate passwords like that?
« Reply #4 on: May 03, 2012, 12:05:14 pm »
already done, as I said in my first answer
I should fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/