PtokaX should save password hashes instead of plain text
 

News:

29 December 2022 - PtokaX 0.5.3.0 (20th anniversary edition) released...
11 April 2017 - PtokaX 0.5.2.2 released...
8 April 2015 Anti child and anti pedo pr0n scripts are not allowed anymore on this board!
28 September 2015 - PtokaX 0.5.2.1 for Windows 10 IoT released...
3 September 2015 - PtokaX 0.5.2.1 released...
16 August 2015 - PtokaX 0.5.2.0 released...
1 August 2015 - Crowdfunding for ADC protocol support in PtokaX ended. Clearly nobody want ADC support...
30 June 2015 - PtokaX 0.5.1.0 released...
30 April 2015 Crowdfunding for ADC protocol support in PtokaX
26 April 2015 New support hub!
20 February 2015 - PtokaX 0.5.0.3 released...
13 April 2014 - PtokaX 0.5.0.2 released...
23 March 2014 - PtokaX testing version 0.5.0.1 build 454 is available.
04 March 2014 - PtokaX.org sites were temporary down because of DDOS attacks and issues with hosting service provider.

Main Menu

PtokaX should save password hashes instead of plain text

Started by Dam, 27 October, 2005, 17:03:59

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Dam

I think saving passwords as plain text is insecure: anyone who gain access to the server where PtokaX is can steal sers' passwords.

It's important to say that a lot of users use a single password for all their services, so, with their hub password one can gain access to ther e-mail service, and a lot more.

Using any of the standards here is MUCH secure.

I recommend not using SHA-1, but it's better than just plain text.

Well, have good luck!

Greetings from Argentina

[ZD][Psycho]

QuoteOriginally posted by Dam
I think saving passwords as plain text is insecure
I agree. I've always thought that PX storing its passwords as plain text was the only big 'downside' of PX.
"Religion is regarded by the common people as true, by the wise as false, and by rulers as useful." -Seneca

Pothead

Plain text is nice.
Secure your PC.

Dam

#3
QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.

8o

Then, I and most operating systems, are wrong...

PPK

Is not problem to save passwords encrypted, but always anyone who have access to server will be able to steal passwords :rolleyes:
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Dam

#5
QuoteOriginally posted by PPK
Is not problem to save passwords encrypted, but always anyone who have access to server will be able to steal passwords :rolleyes:

A password hash it's pretty much useless to a cracker (cause getting a password based on a hash is almost impossible), plus, none of the methods in the link I gave in my first post (except SHA-1) has a flaw (at least, now).

If it's not a problem, please do it, using any of the methods mentioned here.

[ZD][Psycho]

QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.
There's no such thing as a "secure" PC.
"Religion is regarded by the common people as true, by the wise as false, and by rulers as useful." -Seneca

6Marilyn6Manson6

QuoteOriginally posted by [ZD][Psycho]
QuoteOriginally posted by Pothead
Plain text is nice.
Secure your PC.
There's no such thing as a "secure" PC.

Mm false... The PC not is never "secure" :D

PPK

QuoteOriginally posted by Dam
If it's not a problem, please do it, using any of the methods mentioned here.
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Dam

#9
QuoteOriginally posted by PPK
QuoteOriginally posted by Dam
If it's not a problem, please do it, using any of the methods mentioned here.
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !

Please note that I don't want PtokaX to encrypt passwords, I want PtokaX to hash passwords, which is not the same.

As I said before:

A password hash it's pretty much useless to a cracker (cause getting a password based on a hash is almost impossible), plus, none of the methods in the link I gave in my first post (except SHA-1) has a flaw (at least, now).

If you tell me in what language PtokaX is programmed, maybe I can find a hashing function for you.

Tiskelion

It'd probably be best to implement SHA2(224) hashing using the Crypto++ library (which is free).

Google is my friend :)
Crypto++ website  :))

also i was wondering.. the passwords would be kinda long with a message digest that has a minimum of 160 bits  ?(  or am i mistaken..
:] I am master of what is my dome! :]


Dam

#11
QuoteOriginally posted by Tiskelion
It'd probably be best to implement SHA2(224) hashing using the Crypto++ library (which is free).

Google is my friend :)
Crypto++ website  :))

also i was wondering.. the passwords would be kinda long with a message digest that has a minimum of 160 bits  ?(  or am i mistaken..

N I C E. You are right the passwords will be longer, so I don't expect PtokaX developers to make it a default option, but please make it an option at least. ;)

Tiskelion

On second thought, it might be better to use a hash as a key for the encrypting engine. so:

password creation:
1. user makes a password and regs with it.
2. the hub makes a hash from the password and encrypts the password with that hash as a key.
3. the hash is cleared from memory

password checking:
1. user logs in the hub, gives his password.
2. his password is hashed, that hash used as a key to decrypt his password.
3. if the given password and the stored password match, the user is authentic and is given access to the hub.

now the only problem - see, i don't know much about this stuff - is: is the hash for given string "string" the same each time? or does it change each time "string" is hashed? ?(
:] I am master of what is my dome! :]


Dam

#13
QuoteOriginally posted by Tiskelion
On second thought, it might be better to use a hash as a key for the encrypting engine. so:

password creation:
1. user makes a password and regs with it.
2. the hub makes a hash from the password and encrypts the password with that hash as a key.
3. the hash is cleared from memory

password checking:
1. user logs in the hub, gives his password.
2. his password is hashed, that hash used as a key to decrypt his password.
3. if the given password and the stored password match, the user is authentic and is given access to the hub.

now the only problem - see, i don't know much about this stuff - is: is the hash for given string "string" the same each time? or does it change each time "string" is hashed? ?(

Please avoid the word encryption. What I think should be done is:

Password creation:

1. User inputs the password in PtokaX at reg
2. PtokaX hashes that password and saves the result (the hash)

Password checking:

1. User inputs the password in PtokaX at login
2. PtokaX hashes that password and compares with the saved one, if they match, the user is authenticated, if not, access is denied

A hash for string X is always the same.

Tiskelion

As yes, stupid of me

why make it hard if it can be done simple :D
:] I am master of what is my dome! :]


Dam

QuoteOriginally posted by Tiskelion
As yes, stupid of me

why make it hard if it can be done simple :D

Someone who calls himself a stupid, isn't one, ;)

PPK

QuoteOriginally posted by Dam
A password hash it's pretty much useless to a cracker
No cracker is too dumb to trying to get password from hash... if is here DC protocol sending password as plain text :D
As i say before... anyone who have access to server is able to steal password and not need file with passwords :rolleyes:
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Dam

#17
QuoteOriginally posted by PPK
QuoteOriginally posted by Dam
A password hash it's pretty much useless to a cracker
No cracker is too dumb to trying to get password from hash... if is here DC protocol sending password as plain text :D
As i say before... anyone who have access to server is able to steal password and not need file with passwords :rolleyes:

Don't you think we must make cracker's work harder and don't let them use that file at least? :(

bluebear

Saveing the passwords in a more secure way is a fine idea.
But DC is very insecure by nature, and since passwords are sent as plain text when a user login. You can find thease passwords by packet sniffing. And hashing the passwords will not make it more secure, you will  still be able to find the passwords. The hash will always be the same on a given string. Wich means that you can, fastly "un-hash" the passwords with a trail an failure method.

PPK wrote:
QuoteNo cracker is too dumb to trying to get password from hash

If they want the password for some reason they will try.
Sincerely,
bluebear
--
http://www.thewildplace.dk/ is is closed - Use the following mirrors instead
http://bluebear.psycho-chihuahua.net
http://pxextension.piratez.dk/
[Lua extensions - Chat stats - YnHub PMSpy - DC Source code - and more]

bluebear

QuoteOriginally posted by PPK
I don't find any usefull sources to use on this link, and always as i say before if anyone have access to server then is always able to steal password and encrypted password saving not fix this !

But atleast it will keep amateurs from getting the passwords.
Sincerely,
bluebear
--
http://www.thewildplace.dk/ is is closed - Use the following mirrors instead
http://bluebear.psycho-chihuahua.net
http://pxextension.piratez.dk/
[Lua extensions - Chat stats - YnHub PMSpy - DC Source code - and more]

Dam

#20
QuoteOriginally posted by bluebear
Saveing the passwords in a more secure way is a fine idea.
But DC is very insecure by nature, and since passwords are sent as plain text when a user login. You can find thease passwords by packet sniffing. And hashing the passwords will not make it more secure, you will  still be able to find the passwords. The hash will always be the same on a given string. Wich means that you can, fastly "un-hash" the passwords with a trail an failure method.

PPK wrote:
QuoteNo cracker is too dumb to trying to get password from hash

If they want the password for some reason they will try.

There's no fastly word on hashing world, that's the reason why I choose hashing over encryption.

When you got an encrypted password, you got a password. When you got a hash, that's all you have, you cannot recover a password from a hash, what you can do is a brute force attack.

As bluebear said, we should make amateurs work harder.

Pothead

If they can access your computer remotely, they are not amatures, so your f**ked no matter what you do.
If they can access your computer locally, like i said before Secure your pc.

Dam

#22
QuoteOriginally posted by Pothead
If they can access your computer remotely, they are not amatures, so your f**ked no matter what you do.
If they can access your computer locally, like i said before Secure your pc.

An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.

Someone who can get a password from a computer is not an awesome cracker, it's just someone who figured out (or stealed) a password. I did such things when I was younger, for fun, using things like keyloggers. They are pretty easy to use, but they can still f**ck you up.

I do not understand why you don't want to secure something, I understand that the passwords can still be discovered, but you can stop amateur crackers, which enhances the security of your software.

bluebear

#23
Anyway i don't  see how ppls here can say its a bad idea.. Because it not.. Ofcourse passwords should be secured as much as they possibly can be, no doubt about that.

But there is more important things to implement in ptokax before this.

But if PPK is interested, i would be happy to write the code to hash the passwords. So he only would need to implement a few function call's here and there?
Sincerely,
bluebear
--
http://www.thewildplace.dk/ is is closed - Use the following mirrors instead
http://bluebear.psycho-chihuahua.net
http://pxextension.piratez.dk/
[Lua extensions - Chat stats - YnHub PMSpy - DC Source code - and more]

Dam

#24
QuoteOriginally posted by bluebear
Anyway i don't  see how ppls here can say its a bad idea.. Because it not.. Ofcourse passwords should be secured as much as they possibly can be, no doubt about that.

But there is more important things to implement in ptokax before this.

But if PPK is interested, i would be happy to write the code to hash the passwords. So he only would need to implement a few function call's here and there?

I would really appreciate it, ;)

If you use Crypto++ I think you should only use function calls, as you said.

SMF spam blocked by CleanTalk