On 07/16/2011 05:25 AM, Jannis Froese wrote:
> Hi,
> I would strongly suggest to hash them a second time after appending a
> salt (the salt could even be fixed). The Server would then check the
> password by generating the hash sha1(sha1(password + salt)).
> If we don't do add a salt of any way, the passwords are not very secure,
> as unsalted Passwords are quickly decrypted using Rainbow Tables (sort
> of heavily compressed hash lookup). To see how easy this is look at
>
http://freerainbowtables.com, where you can download tables for
> passwords with up to 9 characters, depending on complexibility of the
> password.
>
> Regards
>
>
> On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat
> <
address@hidden> wrote:
>> Hello,
>>
>>> Stephane do you have any idea how to handle this correctly?
>>
>> The correct way would be to see where yog checks the passwords and to
>> add a hash there. We can then apply the same hash function to the
>> password data.
>>
>> I've been looking in YOG's source code, the passwords seem to be
>> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113
>>
>> Therefore, it is probably safe to transmit password data. What do you
>> think?
>>
>> Stéph
>>
>> --
>> Dr Stéphane Magnenat
>>
http://stephane.magnenat.net
>>
>> _______________________________________________
>> glob2-devel mailing list
>>
address@hidden
>>
https://lists.nongnu.org/mailman/listinfo/glob2-devel
>
>
> _______________________________________________
> glob2-devel mailing list
>
address@hidden
>
https://lists.nongnu.org/mailman/listinfo/glob2-devel
_______________________________________________
glob2-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/glob2-devel