|
From: | Jannis Froese |
Subject: | Re: [glob2-devel] YOG hosting/diagnosis |
Date: | Sat, 16 Jul 2011 12:25:30 +0200 |
User-agent: | Roundcube Webmail/0.4.1 |
Hi,I would strongly suggest to hash them a second time after appending a salt (the salt could even be fixed). The Server would then check the password by generating the hash sha1(sha1(password + salt)). If we don't do add a salt of any way, the passwords are not very secure, as unsalted Passwords are quickly decrypted using Rainbow Tables (sort of heavily compressed hash lookup). To see how easy this is look at http://freerainbowtables.com, where you can download tables for passwords with up to 9 characters, depending on complexibility of the password.
RegardsOn Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat <address@hidden> wrote:
Hello,Stephane do you have any idea how to handle this correctly?The correct way would be to see where yog checks the passwords and to add a hash there. We can then apply the same hash function to the password data. I've been looking in YOG's source code, the passwords seem to be already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113Therefore, it is probably safe to transmit password data. What do you think?Stéph -- Dr Stéphane Magnenat http://stephane.magnenat.net _______________________________________________ glob2-devel mailing list address@hidden https://lists.nongnu.org/mailman/listinfo/glob2-devel
[Prev in Thread] | Current Thread | [Next in Thread] |