How safe is an MD5 hash of a plain password?

First of all, I hope that you’ve moved beyond MD5 hashes and hashing passwords by themselves, adding salts, etc., but I do recall systems in which an MD5 hash of a password by itself was “good enough”.

You can look up some md5 hashes on this md5 cracker page. I found many two word combinations that were crackable.

You can play with generating md5 hashes of questionable passwords (such as your name and p@ssw0rd) with this md5 Hash Generator

Some thoughts on the ‘vulnerability’ of the 3G S $AAPL

Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses | Gadget Lab |

Some counterpoints:

  • The iPhone 3G S has to be in the physical possession of the hacker (instead of an over-the-air attack).
  • The iPhone can be wiped remotely (however, MobileMe, push, and Find My iPhone must be turned on, and must be connected to the internet).
  • The iPhone is more likely to be profiled as a valuable piece of hardware than for its data potential–the BlackBerry is a well-recognized business device and would be a more likely target for data thieves.

Some additional thoughts:

  • The iPhone has thus far been a consumer device, although the trickle in enterprise adoption makes this alarm-sounding well timed.
  • Apple does not currently provide enterprise management software for either desktops or phones, which (beyond security) is probably the greatest barrier to enterprise acceptance.

Microsoft Update Quietly Installs Firefox Extension


The whole reason I don’t use Internet Explorer except on rare occasions is that I don’t want website add-ons to automatically install without a little bit of fuss. I would expect this “ClickOnce” support would make accidental installation of malware more likely. No, thanks. I disabled it until I absolutely see a reason that I need it–which is my normal policy with Firefox add-ons.

Security Fix – Microsoft Update Quietly Installs Firefox Extension.

Clearly I missed out on all the fun.

Apparently, there was another exploit on Twitter today?  #dontclick

Those exploited would end up tweeting the following message:

Don’t Click:

So, it was a Twitter worm by way of clickjacking.  Though I missed out on the fun, I learned a new security term:  CSRF (Cross-site request forgery).  I tell you, security geeks get to see all kinds of cool stuff.

Code analysis:  Twitter Don’t Click Exploit

Twitter’s response:  Twitter Blog: Clickjacking Blocked.

10 of the Worst Moments in Network Security History

I don’t think that these are all necessarily “network” or “security” related, but they are interesting, nonetheless:

10 of the Worst Moments in Network Security History – Network World.