glob2-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [glob2-devel] YOG hosting/diagnosis

From: Othniel Graichen
Subject: Re: [glob2-devel] YOG hosting/diagnosis
Date: Sat, 16 Jul 2011 16:22:54 -0500
Does any1 remember that this is a FUN game?
Why do we have to use a password at all
to enter the lobby?

Do we want to restrict people from playing Glob2 online?

2nd question.
If somebody were to masquerade as me,
to login in as me and play a game as me --
or even hack my password or Stephane.

Who would be hurt?  I am not being silly by asking.

3rd question.
Which is more important, ensuring the passwords used by YOG
are secure or reducing the number of outstanding bug reports
(even the most insignificant kind) by one?

BTW:Please email me directly if you are even slightly interested knowing
my YOG password.  I will post the total number of emails I get on
this subject in 1 month.


OMG

On Sat, Jul 16, 2011 at 10:51 AM, Austin H <address@hidden> wrote:
Having a random salt really does make it much harder to crack the
passwords and I would highly recommend that. With a random salt they
would have to attack each password individually rather than attacking
them all as a group but a fixed salt will eliminate the use of rainbow
tables.

However, I am not sure of the purpose of hashing it twice. And by the
way, please use sha256 or sha512 to avoid the collisions with sha1.

On 07/16/2011 05:25 AM, Jannis Froese wrote:
> Hi,
> I would strongly suggest to hash them a second time after appending a
> salt (the salt could even be fixed). The Server would then check the
> password by generating the hash sha1(sha1(password + salt)).
> If we don't do add a salt of any way, the passwords are not very secure,
> as unsalted Passwords are quickly decrypted using Rainbow Tables (sort
> of heavily compressed hash lookup). To see how easy this is look at
> http://freerainbowtables.com, where you can download tables for
> passwords with up to 9 characters, depending on complexibility of the
> password.
>
> Regards
>
>
> On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat
> <address@hidden> wrote:
>> Hello,
>>
>>> Stephane do you have any idea how to handle this correctly?
>>
>> The correct way would be to see where yog checks the passwords and to
>> add a hash there. We can then apply the same hash function to the
>> password data.
>>
>> I've been looking in YOG's source code, the passwords seem to be
>> already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113
>>
>> Therefore, it is probably safe to transmit password data. What do you
>> think?
>>
>> Stéph
>>
>> --
>> Dr Stéphane Magnenat
>> http://stephane.magnenat.net
>>
>> _______________________________________________
>> glob2-devel mailing list
>> address@hidden
>> https://lists.nongnu.org/mailman/listinfo/glob2-devel
>
>
> _______________________________________________
> glob2-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/glob2-devel


_______________________________________________
glob2-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/glob2-devel

reply via email to
[Prev in Thread] Current Thread [Next in Thread]