Unfortunately Prosper is not able to accept your post for to the Prosper Blog. Many of the sentiments expressed are shared, but we fell it is inappropriate for the blog. We are open to a revised version, but in it’s current form I will be unable to post it to the blog.
Accused Prospers.org of phishing for their users information.
Fostered such a “good community” on their blog that four days can pass without a single comment passing through their intense moderation
Back to my regularly scheduled post…
The short version…
Member since May 2006.
HR borrower the first time around, paid it off. ($1,000.00 @ 12.50%)
D borrower second time around, 25% paid off, never late. ($4,500.00 @ 13.50%)
Put $50 into my friends loan.
Emailed (in fairly accusatory tone) by Prosper because I talk about them on this blog. How nice of them to notice. It’s probably because I get a lot of traffic from the search engines on prosper keywords and/or because I am a Prospers.org member. Check my freshly minted stats for proof.
I originally wrote this in a discussion over at the West Wind forums. I’m reposting it here for informational purposes.
MD5 can easily be reversed using a lookup of ‘known’ hashes. So if user ‘Bob’ made a choose a password of ‘abc’ and we encrypted it on the client then sent it to the server we could store it in the databases as a hash instead of plain text. Hashing something without a salt would lead to a problem when the table got stolen or a man in the middle attack occurred. The bad guy could then take the hash and look it up in the reverse table then would have Bob’s password in plain text. Salt is when you combine Bob’s password with something else. For example, create a hash of his last name, DOB, and UserId…append it to the end of the password hash his browser sent and hash them together to compare with the hashed password.
Hmm…that didn’t make a lot of sense to me…I need more Code Red. I’ll try this way:
Bob signs up for your site with user name ‘Bob’ and password ‘1234’
Password in plain text: 1234
Password hash (1234, easily reversed): 81dc9bdb52d04dc20036dbd8313ed055
Password hash with salt (1234+Bob, not as easily reversed): 27d5c234335b9762416808e2ace80842
Password hash with salt + GUID: (1234+Bob+791ae620-e2f5-11db-8314-0800200c9a66, very hard to reverse): 34e25923be3cad2bb140c8c508f59e16
Store the hash of 1234 in your table, then when it is time to compare, make sure you concatenate consistently to get the right result.
I found an MD5 program by Gilles Patrick that works really well off of the VFP Wiki. It produces results that agree with the client side JS MD5 program I linked to above.
Hashing a single word is not nearly as secure as hashing that word plus some random (but consistent) text. More and more people use the same password for their email, system, start page, etc and I think my users appreciate it when I tell them up front that I don’t know their password. Recovering a users password can be a little tricky in that they have to create a new one instead of you telling them what it is, but security questions and using the email address on file works out good for recovery.
It’s been brought to my attention that perhaps I shouldn’t be so hard on Prosper because I am in fact a twice successful borrower through Prosper. I’ve been meaning for some time to write about my experience as a borrower, but haven’t really fleshed the idea out much yet. I’ll get to work on it…
Just about every blogger and their brother is posting this video. I was just getting into technology and development when the first internet bubble came and went. It feels the same this time, just new buzzwords and younger faces. Without further ado…
Edit: This video has been removed due to a DMCA takedown notice that was presented to YouTube. Abuse of the DMCA is another Web 2.0 feature it would seem.