With some inspiration from Ben Ramsey i created a little demo for using my md5 database during the signup process on a website.
This example demonstrates the use of the MD5 database at http://md5.rednoize.com and AJAX to check password strength during signup on a website. After supplying a username and a password, a md5 hash of the password is generated using Paul Johnston’s md5 javascript library.
The hash of the password (not the password itself) is then sent to http://md5.rednoize.com. If the website returns a result for the given password (hence the hash password combination is stored in the md5 database) it can be regarded as “insecure”. Because the md5 hash of the password, and not the password itself is transferred, no sensitive data will be saved at md5.rednoize.com.
For sure not every password that is not stored in the MD5 database can be considered secure. I recommend adding some extra checks (existence of upper and lowercase characters, numbers, special characters and so on) to increase the password strength.
You can see the example in action here: http://md5.rednoize.com/ajax/
Feel free to use the code in this example any play with it ;)
To implement this on your own webserver you would need some kind of proxy script that redirects the AJAX calls from your own server to the md5 database.
Update:
I recommend saving passwords using salted md5 hashes. Salting in short: “When the user sets a password, a short string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is different for each user, the attacker can no longer use a single encrypted version of each candidate password. If the salt is long enough, the attacker must repeat the encryption of every guess for each user, and this can only be done after obtaining the encrypted password record for that user.”
Here’s a little example using salted passwords:
To authenticate users on your website (login) your probably using a SQL statement like this one:
SELECT user_id, username FROM users WHERE passsword = MD5('thepassword');
This is insecure. If someone would know the md5 hash of the password, and the password is weak, it could be “reversed” using the MD5 database.
Use salted passwords to avoid this:
SELECT user_id, username FROM users WHERE passsword = MD5(user_id || 'some_secret_string' || 'thepassword');
Its also possible to store the salt along the password in the database.
Md5.rednoize.com has been updated yesterday. The web site features a new design and has gained support for sha1 hashes. The interface has been ajaxified and the amount of hashes stored in the database has been increased again. The database stores now about 35,000,000 md5/sha1 hashes with their plain text counterpart. And md5.rednoize.com got a new logo as well ;)
