Re: [glob2-devel] YOG hosting/diagnosis

glob2-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [glob2-devel] YOG hosting/diagnosis

From:	Austin H
Subject:	Re: [glob2-devel] YOG hosting/diagnosis
Date:	Sat, 16 Jul 2011 10:51:08 -0500
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11

Having a random salt really does make it much harder to crack the
passwords and I would highly recommend that. With a random salt they
would have to attack each password individually rather than attacking
them all as a group but a fixed salt will eliminate the use of rainbow
tables.

However, I am not sure of the purpose of hashing it twice. And by the
way, please use sha256 or sha512 to avoid the collisions with sha1.

On 07/16/2011 05:25 AM, Jannis Froese wrote:
> Hi,
> I would strongly suggest to hash them a second time after appending a
> salt (the salt could even be fixed). The Server would then check the
> password by generating the hash sha1(sha1(password + salt)).
> If we don't do add a salt of any way, the passwords are not very secure,
> as unsalted Passwords are quickly decrypted using Rainbow Tables (sort
> of heavily compressed hash lookup). To see how easy this is look at
> http://freerainbowtables.com, where you can download tables for
> passwords with up to 9 characters, depending on complexibility of the
> password.
> 
> Regards
> 
> 
> On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat
> <address@hidden> wrote:
>> Hello,
>>
>>> Stephane do you have any idea how to handle this correctly?
>>
>> The correct way would be to see where yog checks the passwords and to
>> add a hash there. We can then apply the same hash function to the
>> password data.
>>
>> I've been looking in YOG's source code, the passwords seem to be
>> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113
>>
>> Therefore, it is probably safe to transmit password data. What do you
>> think?
>>
>> Stéph
>>
>> -- 
>> Dr Stéphane Magnenat
>> http://stephane.magnenat.net
>>
>> _______________________________________________
>> glob2-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/glob2-devel
> 
> 
> _______________________________________________
> glob2-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/glob2-devel

[Prev in Thread]

Current Thread

[Next in Thread]

[glob2-devel] YOG hosting/diagnosis, Othniel Graichen, 2011/07/15
- Re: [glob2-devel] YOG hosting/diagnosis, Leo Wandersleb, 2011/07/15
  - Re: [glob2-devel] YOG hosting/diagnosis, Stéphane Magnenat, 2011/07/16
    - Re: [glob2-devel] YOG hosting/diagnosis, Jannis Froese, 2011/07/16
    - Re: [glob2-devel] YOG hosting/diagnosis, Austin H <=
    - Re: [glob2-devel] YOG hosting/diagnosis, Baptiste, 2011/07/16
    - Re: [glob2-devel] YOG hosting/diagnosis, Othniel Graichen, 2011/07/16
    - Re: [glob2-devel] YOG hosting/diagnosis, Lukasz Dobrogowski, 2011/07/17
    - Re: [glob2-devel] YOG hosting/diagnosis, Leo Wandersleb, 2011/07/16
- Re: [glob2-devel] YOG hosting/diagnosis, Valentin Lorentz, 2011/07/16
  - Re: [glob2-devel] YOG hosting/diagnosis, Othniel Graichen, 2011/07/17

Prev by Date: Re: [glob2-devel] YOG hosting/diagnosis
Next by Date: Re: [glob2-devel] YOG hosting/diagnosis
Previous by thread: Re: [glob2-devel] YOG hosting/diagnosis
Next by thread: Re: [glob2-devel] YOG hosting/diagnosis
Index(es):
- Date
- Thread