[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [glob2-devel] YOG hosting/diagnosis
From: |
Austin H |
Subject: |
Re: [glob2-devel] YOG hosting/diagnosis |
Date: |
Sat, 16 Jul 2011 10:51:08 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Lightning/1.0b2 Thunderbird/3.1.11 |
Having a random salt really does make it much harder to crack the
passwords and I would highly recommend that. With a random salt they
would have to attack each password individually rather than attacking
them all as a group but a fixed salt will eliminate the use of rainbow
tables.
However, I am not sure of the purpose of hashing it twice. And by the
way, please use sha256 or sha512 to avoid the collisions with sha1.
On 07/16/2011 05:25 AM, Jannis Froese wrote:
> Hi,
> I would strongly suggest to hash them a second time after appending a
> salt (the salt could even be fixed). The Server would then check the
> password by generating the hash sha1(sha1(password + salt)).
> If we don't do add a salt of any way, the passwords are not very secure,
> as unsalted Passwords are quickly decrypted using Rainbow Tables (sort
> of heavily compressed hash lookup). To see how easy this is look at
> http://freerainbowtables.com, where you can download tables for
> passwords with up to 9 characters, depending on complexibility of the
> password.
>
> Regards
>
>
> On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat
> <address@hidden> wrote:
>> Hello,
>>
>>> Stephane do you have any idea how to handle this correctly?
>>
>> The correct way would be to see where yog checks the passwords and to
>> add a hash there. We can then apply the same hash function to the
>> password data.
>>
>> I've been looking in YOG's source code, the passwords seem to be
>> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113
>>
>> Therefore, it is probably safe to transmit password data. What do you
>> think?
>>
>> Stéph
>>
>> --
>> Dr Stéphane Magnenat
>> http://stephane.magnenat.net
>>
>> _______________________________________________
>> glob2-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/glob2-devel
>
>
> _______________________________________________
> glob2-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/glob2-devel