PtokaX should save password hashes instead of plain text - Page 2
 

News:

29 December 2022 - PtokaX 0.5.3.0 (20th anniversary edition) released...
11 April 2017 - PtokaX 0.5.2.2 released...
8 April 2015 Anti child and anti pedo pr0n scripts are not allowed anymore on this board!
28 September 2015 - PtokaX 0.5.2.1 for Windows 10 IoT released...
3 September 2015 - PtokaX 0.5.2.1 released...
16 August 2015 - PtokaX 0.5.2.0 released...
1 August 2015 - Crowdfunding for ADC protocol support in PtokaX ended. Clearly nobody want ADC support...
30 June 2015 - PtokaX 0.5.1.0 released...
30 April 2015 Crowdfunding for ADC protocol support in PtokaX
26 April 2015 New support hub!
20 February 2015 - PtokaX 0.5.0.3 released...
13 April 2014 - PtokaX 0.5.0.2 released...
23 March 2014 - PtokaX testing version 0.5.0.1 build 454 is available.
04 March 2014 - PtokaX.org sites were temporary down because of DDOS attacks and issues with hosting service provider.

Main Menu

PtokaX should save password hashes instead of plain text

Started by Dam, 27 October, 2005, 17:03:59

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

nEgativE

Totally agree with this feature, good work for all of u :)

Pothead

#26
QuoteOriginally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

QuoteOriginally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.

Dam

#27
QuoteOriginally posted by Pothead
QuoteOriginally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

QuoteOriginally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.

If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.

PtokaX should not bother with saving passwords. If a user forgets it's password, he/she should talk with the person who is running PtokaX and then get a new one (based on questions, I don't know).

plop

#28
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

Dam

#29
QuoteOriginally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(

Tw?sT?d-d?v

#30
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P

Dam

QuoteOriginally posted by (uk)jay
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P

Believe me, if PtokaX were open source, I would do what I want, :P. But it's not the case, so I need them to do it internally.

Pothead

QuoteOriginally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.

Tiskelion

lay off the pot. we?re not talking about physical access here.
:] I am master of what is my dome! :]


Dam

QuoteOriginally posted by Pothead
QuoteOriginally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.

So what? Why can't I stop crackers doing more damage???

Man... please say something useful...

Pothead

QuoteOriginally posted by Dam
So what? Why can't I stop crackers doing more damage???
Man... please say something useful...
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.  Or by PtokaX itself.  Or a script added to ptokaX.  And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
Does this massive sudden desire to have them changed (like what Uk-Jay said), have anything to do with the !getpass function provided by a few scripts, and some malicious people you decided to give access to that command ?
As that sounds a lot more relasitic than someone hacking your computer, just to get a few passwords, for a hub.

Herodes

QuoteOriginally posted by Pothead
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.
I'll definately go with this,... we aren't talking about money here.. it is just some extra cmds and priviledges in a hub 4gs ...

plop

#37
QuoteOriginally posted by Dam
QuoteOriginally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(

a brute force attack against px doesn't work, px is protected against this.
if you wanna add an extra layer of security you should protect the windows machine.
this can be done with a router or a linux/bsd rig setup as router/gateway.
for example my hub server is only accessible on the 2 ports px runs on, and those are protected with a N.I.D.S. and a firewall with state-full protection (which are running on BSD).

plop
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

Dam

#38
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.


Dam

QuoteOriginally posted by ??????Hawk??????
http://www.pctools.com/spyware-doctor/

??

[ZD][Psycho]

QuoteOriginally posted by Pothead
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.
What if someone used a newly found exploit in an FTPD that the hub's server is running? You can't guard yourself against everything. As bluebear pointed out earlier, this security feature would be protection against amateurs.
QuoteOriginally posted by Pothead
Or a script added to ptokaX.
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
QuoteOriginally posted by Pothead
And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
"Religion is regarded by the common people as true, by the wise as false, and by rulers as useful." -Seneca

plop

QuoteOriginally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

PPK

PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Dam

QuoteOriginally posted by plop
QuoteOriginally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop

Usually, people who locks vaults have also other security methods. Strong doors, security guards, etc. ;)

Dam

#45
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:

You mean:

Hash passwords as any SHA algorithms (except SHA-1) and send hashed passwords over Internet as TTH (what I would recommend)

or:

Hash passwords as TTH and send them over Internet as TTH also?

Any of the above, it's a big step, thank you so much!! :)

Pothead

QuoteOriginally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
QuoteOriginally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(

Dam

#47
QuoteOriginally posted by Pothead
QuoteOriginally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
QuoteOriginally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
QuoteOriginally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(

amateur = someone who gets a passwords the easy way (keylogger, for example) and don't now: a) what a packet sniffer is b) what a brute force attack is c) how to modify the source of the client he/she uses d) what a hash is e) a big etc.

Pothead

#48
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.

Dam

#49
QuoteOriginally posted by Pothead
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.

To install a keylogger over Internet means that the user which is running the server is a stupid. But anything that enhances security (at least for a bit) of a software is always important.

Can't you see that this will not only be good for me, but for all users who will use that feature??

I do now how to secure my PC, but it will not be invulnerable. Plus, social engineering exists and new software bugs (even on antivirus software) are found.

SMF spam blocked by CleanTalk