Author Topic: PtokaX should save password hashes instead of plain text  (Read 12888 times)

0 Members and 1 Guest are viewing this topic.

Offline nEgativE

  • Double Ace
  • *
  • Posts: 146
  • Karma: +6/-4
(No subject)
« Reply #25 on: 28 October, 2005, 18:10:06 »
Totally agree with this feature, good work for all of u :)

PtokaX forum

(No subject)
« Reply #25 on: 28 October, 2005, 18:10:06 »

Offline Pothead

  • Lord
  • ***
  • Posts: 455
  • Karma: +25/-4
(No subject)
« Reply #26 on: 28 October, 2005, 19:24:17 »
Quote
Originally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

Quote
Originally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.
« Last Edit: 28 October, 2005, 19:25:57 by Pothead »

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #27 on: 28 October, 2005, 19:35:05 »
Quote
Originally posted by Pothead
Quote
Originally posted by Dam
An invulnerable computer does not exist, so please stop repeating me to secure it because I already did.
Ever considered buying a lock for your door ?

Quote
Originally posted by Luso
Totally agree with this feature, good work for all of u :)
Not so good for anybody who has forgotten their password.

If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.

PtokaX should not bother with saving passwords. If a user forgets it's password, he/she should talk with the person who is running PtokaX and then get a new one (based on questions, I don't know).
« Last Edit: 28 October, 2005, 19:36:50 by Dam »

Offline plop

  • Forum God
  • ****
  • Posts: 2 464
  • Karma: +37/-0
(No subject)
« Reply #28 on: 28 October, 2005, 21:20:27 »
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop
« Last Edit: 28 October, 2005, 21:22:37 by plop »
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #29 on: 28 October, 2005, 21:32:17 »
Quote
Originally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(
« Last Edit: 28 October, 2005, 21:33:11 by Dam »

Offline Tw?sT?d-d?v

  • Lord
  • ***
  • Posts: 436
  • Karma: +79/-2
    • EURO-OP
(No subject)
« Reply #30 on: 29 October, 2005, 00:08:49 »
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P
« Last Edit: 29 October, 2005, 00:09:43 by (uk)jay »

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #31 on: 29 October, 2005, 00:55:11 »
Quote
Originally posted by (uk)jay
I honestly think that PtokaX doesnt need to change to way passwords are saved ect ... there has never been any call for this to change ... so why all of a sudden the interest in getting this changed ?(  

seems to me that you have got more of an intrest in getting the files changed then you are letting on :P

Believe me, if PtokaX were open source, I would do what I want, :P. But it's not the case, so I need them to do it internally.

Offline Pothead

  • Lord
  • ***
  • Posts: 455
  • Karma: +25/-4
(No subject)
« Reply #32 on: 29 October, 2005, 01:44:17 »
Quote
Originally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.

Offline Tiskelion

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
(No subject)
« Reply #33 on: 29 October, 2005, 01:58:07 »
lay off the pot. we?re not talking about physical access here.
:] I am master of what is my dome! :]


Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #34 on: 29 October, 2005, 02:03:42 »
Quote
Originally posted by Pothead
Quote
Originally posted by Dam
If you think a computer connected to the Internet can be secure, then you don't know what security is about. One can secure something but cannot make it invulnerable.
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.

So what? Why can't I stop crackers doing more damage???

Man... please say something useful...

Offline Pothead

  • Lord
  • ***
  • Posts: 455
  • Karma: +25/-4
(No subject)
« Reply #35 on: 29 October, 2005, 12:07:43 »
Quote
Originally posted by Dam
So what? Why can't I stop crackers doing more damage???
Man... please say something useful...
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.  Or by PtokaX itself.  Or a script added to ptokaX.  And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
Does this massive sudden desire to have them changed (like what Uk-Jay said), have anything to do with the !getpass function provided by a few scripts, and some malicious people you decided to give access to that command ?
As that sounds a lot more relasitic than someone hacking your computer, just to get a few passwords, for a hub.

Herodes

  • Guest
(No subject)
« Reply #36 on: 29 October, 2005, 15:40:29 »
Quote
Originally posted by Pothead
My point was, you can secure your pc to stop other people physially using it.  As for remote / hacking access over the internet, if they can do that, passwords for a hub are the least of your worries.
I'll definately go with this,... we aren't talking about money here.. it is just some extra cmds and priviledges in a hub 4gs ...

Offline plop

  • Forum God
  • ****
  • Posts: 2 464
  • Karma: +37/-0
(No subject)
« Reply #37 on: 29 October, 2005, 16:31:14 »
Quote
Originally posted by Dam
Quote
Originally posted by plop
method 1.
some1 gets acces 2 the hubserver, enables the cmd logging on the px console.
next he disconnects the masters/ops and tada there password appears on the screen.

method 2.
install a packet sniffer and tada passwords appear.

method 3.
man in the middle attack, get into a machine which is between the admin/hub.
passwords are plain text.
but this can be made harder by making sure the hubserver requires ipsec, which is a standard option in windows but i guess i'm the only 1 here using it.

method 4.
get the password db and download it, so it can be offline brute force  un-hashed.

a secure windows machine doesn't excist, on average 6 exploits are found in only explorer itself per week.

but a simple hint run px under it's own user which has no login rights, and also secure the px folders by only giving the that certain user acces 2 the folder.
not full proof but takes no extra resources and you add another layer of security (stays windows).

plop

We all know that a brute force attack is always possible but not feasible. And what we want to do now (I least, I do) is to prevent amateur crackers (kiddies who somehow gained access to the server) from stealing passwords.

Yeah, they can steal the hashes, but maybe they don't even know what a hash is. ;)

I don't understand what is wrong with another security barrier, :(

a brute force attack against px doesn't work, px is protected against this.
if you wanna add an extra layer of security you should protect the windows machine.
this can be done with a router or a linux/bsd rig setup as router/gateway.
for example my hub server is only accessible on the 2 ports px runs on, and those are protected with a N.I.D.S. and a firewall with state-full protection (which are running on BSD).

plop
« Last Edit: 29 October, 2005, 16:32:22 by plop »
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #38 on: 29 October, 2005, 19:03:20 »
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.
« Last Edit: 29 October, 2005, 19:05:27 by Dam »

Offline ??????Hawk??????

  • Emperor
  • **
  • Posts: 1 044
  • Karma: +12/-2
    • Leeds Laptop Repairs
(No subject)
« Reply #39 on: 29 October, 2005, 19:15:27 »

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #40 on: 29 October, 2005, 19:19:27 »
Quote
Originally posted by ??????Hawk??????
http://www.pctools.com/spyware-doctor/

??

Offline [ZD][Psycho]

  • Junior Member
  • **
  • Posts: 24
  • Karma: +1/-0
(No subject)
« Reply #41 on: 29 October, 2005, 19:24:05 »
Quote
Originally posted by Pothead
Well you and Tiskelion seem so determind about this feature. Personally i think it's a bad idea, and like what plop said, passwords will still be easily monitored via Etheral.
What if someone used a newly found exploit in an FTPD that the hub's server is running? You can't guard yourself against everything. As bluebear pointed out earlier, this security feature would be protection against amateurs.
Quote
Originally posted by Pothead
Or a script added to ptokaX.
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Quote
Originally posted by Pothead
And to suggest someone who has the ability to hack your computer, but then not have knowledge to do any of them is kind of stupid.
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
"Religion is regarded by the common people as true, by the wise as false, and by rulers as useful." -Seneca

Offline plop

  • Forum God
  • ****
  • Posts: 2 464
  • Karma: +37/-0
(No subject)
« Reply #42 on: 29 October, 2005, 21:39:57 »
Quote
Originally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop
http://www.plop.nl lua scripts/howto\'s.
http://www.thegoldenangel.net
http://www.vikingshub.com
http://www.lua.org

>>----> he who fights hatred with hatred, drives the spreading of hatred <----<<

Offline PPK

  • Administrator
  • Emperor
  • *****
  • Posts: 1 479
  • Karma: +209/-22
  • PtokaX developer
(No subject)
« Reply #43 on: 29 October, 2005, 22:07:14 »
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." - Larry Wall

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #44 on: 29 October, 2005, 22:09:25 »
Quote
Originally posted by plop
Quote
Originally posted by Dam
Guys, please, don't make strange stories. All I want to do is to secure PtokaX (since I can't modify it directly, I ask you to do that).

When I said to make a brute force attack I meant an off-line one (if they where hashes).

It's very difficult to me to explain myself in English (and I puts me in a very bad mood).

So, please, don't think wrongs things. I want to avoid kids who know how to use a keylogger from stealing passwords.

That's all.

i agree that plain text files for pw databases aren't secure, but px doesn't have any exploits.
so the pw database is safe from that side.
the risk comes from windows itself.
when it comes 2 key loggers the problem is simple, your anti virus fails.
you need 2 secure the server not the hub, just like it's plain stupid 2 place a vault in a house without locks on the door.
everybody can walk out with the safe.

my personaly favorite of storing the pw's is by replacing the xml files for a sqlite/mysql server.
sqlite has an advantage over mysql as it doesn't require any setup/config.
so less hassle for hub owners.
but still if someone gains root acces 2 the server they can steal the database and dencrypt the data, same as with the hashes.
just sql works a hell of a lot faster and doesn't use extra resources/bandwidth from px.

plop

Usually, people who locks vaults have also other security methods. Strong doors, security guards, etc. ;)

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #45 on: 29 October, 2005, 22:16:57 »
Quote
Originally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:

You mean:

Hash passwords as any SHA algorithms (except SHA-1) and send hashed passwords over Internet as TTH (what I would recommend)

or:

Hash passwords as TTH and send them over Internet as TTH also?

Any of the above, it's a big step, thank you so much!! :)
« Last Edit: 30 October, 2005, 13:46:53 by Dam »

Offline Pothead

  • Lord
  • ***
  • Posts: 455
  • Karma: +25/-4
(No subject)
« Reply #46 on: 29 October, 2005, 22:31:42 »
Quote
Originally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
Quote
Originally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
Quote
Originally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #47 on: 29 October, 2005, 22:48:03 »
Quote
Originally posted by Pothead
Quote
Originally posted by [ZD][Psycho]
The GetUserPassword(Nick) function would have to be removed if any such hashing of passwords would be implemented. It would only return the hash of a password if it wasn't removed
Same goes for the Debug screen, showing the password. :)
Quote
Originally posted by [ZD][Psycho]
And to suggest that if a certain person has the knowledge to hack into your computer, then they must have a, b, and c knowledge is rather illogical.
If they can hack your computer, they are not amutures, and it's pretty reasonable to assume they can tick a box in the settings, or know how to brute force stuff.
Quote
Originally posted by PPK
PtokaX will have in future better password saving and extension to protocol for sending hashed (tiger, because clients already support this hashing) password :rolleyes:
Then if they get the passwords database, i'll take 2 minutes to modify their client to just send the hash.  ?(

amateur = someone who gets a passwords the easy way (keylogger, for example) and don't now: a) what a packet sniffer is b) what a brute force attack is c) how to modify the source of the client he/she uses d) what a hash is e) a big etc.
« Last Edit: 29 October, 2005, 22:49:28 by Dam »

Offline Pothead

  • Lord
  • ***
  • Posts: 455
  • Karma: +25/-4
(No subject)
« Reply #48 on: 30 October, 2005, 00:26:15 »
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.
« Last Edit: 30 October, 2005, 00:43:11 by Pothead »

Offline Dam

  • Junior Member
  • **
  • Posts: 21
  • Karma: +0/-0
(No subject)
« Reply #49 on: 30 October, 2005, 01:23:21 »
Quote
Originally posted by Pothead
To install a keylogger over the internet, means you must have shit security.
Don't use Internet Explorer, and get a decent firewall, virus scanner, and problem solved.  Anything which involves getting past a Firewall and / or Virus scanner, means that they ain't an amateur.

*** Edit ***
And yes, btw, i do know a way to hack a computer, which is undetectable by firewall and virus scanner.  But it still involves the victim using Internet Explorer.

To install a keylogger over Internet means that the user which is running the server is a stupid. But anything that enhances security (at least for a bit) of a software is always important.

Can't you see that this will not only be good for me, but for all users who will use that feature??

I do now how to secure my PC, but it will not be invulnerable. Plus, social engineering exists and new software bugs (even on antivirus software) are found.
« Last Edit: 30 October, 2005, 13:43:52 by Dam »

PtokaX forum

(No subject)
« Reply #49 on: 30 October, 2005, 01:23:21 »