Archive for September, 2009

MD5 Hashes in Cocoa

Thursday, September 24th, 2009

Let’s jump straight into the code:

#import <commoncrypto /CommonDigest.h>
 
NSString* MD5StringOfString(NSString* inputStr)
{
	NSData* inputData = [inputStr dataUsingEncoding:NSUTF8StringEncoding];
	unsigned char outputData[CC_MD5_DIGEST_LENGTH];
	CC_MD5([inputData bytes], [inputData length], outputData);
 
	NSMutableString* hashStr = [NSMutableString string];
	int i = 0;
	for (i = 0; i < CC_MD5_DIGEST_LENGTH; ++i)
		[hashStr appendFormat:@"%02x", outputData[i]];
 
	return hashStr;
}

Now for the explanation.
(more…)

Posted in Cocoa, Security | View Comments

Coding Tip: Use The Ternary Conditional Operator

Wednesday, September 9th, 2009

The ternary conditional operator (?:) can be used as a short-hand version of an if statement. It is a feature of many languages.

For example, this code:

int height;
if(isTall)
    height = 50;
else
    height = 10;

can be better written as:

int height = isTall ? 50 : 10;

The ?: operator is good for replacing very simple if statements, but is bad for complicated if statements as it can harm readability.

Posted in Coding Tips | View Comments

Crack an MD5 hash in less than a second

Tuesday, September 1st, 2009

Here is a common misconception when it comes to password security:

“It’s unsafe store user passwords as plain text in the database, so I’ll MD5 the passwords. MD5 is safe because it is one-way encryption, and takes too long to brute force.”

WRONG!

An unsalted MD5 hash can be cracked in less than a second, because it is vulnerable to a precomputation attack. Don’t believe me? Try it for yourself. There are dozens of websites that will take a hash, and return the original password almost instantly. This is true of all hashing algorithms, not just MD5.

How do you defend against a precomputation attack? You use a salt when computing the hash. Using a large salt makes it infeasible to precompute. Also, it helps if you have a strong password that contains numbers, uppercase letters, lowercase letters, and especially symbols. You get bonus points if your password contains strange characters (unicode characters, ascii characters above 128, etc) because nobody can be bothered precomputing rainbow tables for those.

Posted in Security | View Comments