[Opensim-dev] open sim UUID and Passwordhash
Impalah Shenzhou
impalah at gmail.com
Fri Oct 16 10:43:34 UTC 2009
This comes from UserManagerBase.AddUser (0.6.6):
string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" +
String.Empty);
The salt should be where String.Empty is.
I think it doesn't change in the most recent versions, so the "create user"
method of the console (both standalone and ugaim) are unsecure by default.
Anyway, I agree with Melanie and Adam that the salt is needed for improving
security, if not a random salt every time you create an user, at least a
long and secret unique salt.
Greetings
2009/10/16 Frisby, Adam <adam at deepthink.com.au>
> +1 to Melanie, that code is *not* secure. It is salted with a ":" but
> that's a fixed known salt.
>
> This is what I suggest:
>
> $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or
> any other good random source
> $passwordHash = md5(md5($password) . ':' . $passwordSalt);
>
> $passwordSalt should be unique among your database (very likely with the
> above code); if there are duplicates, then it allows dictionary attacks to
> be done, the more duplicates, the more effective it is.
>
> Adam
>
> > -----Original Message-----
> > From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
> > bounces at lists.berlios.de] On Behalf Of Melanie
> > Sent: Thursday, 15 October 2009 4:14 PM
> > To: opensim-dev at lists.berlios.de
> > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash
> >
> > Please don't use that code. It creates unsalted hashes, which are
> > not secure.
> > The "" should be a ranndom salt, stored in the passwordSalt field in
> > the DB. If that is blank, you're running a very insecure system
> >
> >
> > Melanie
> >
> >
> > Rich White wrote:
> > > here is the PHP code - $password_hash = md5(md5($password) . ":"
> > ."");
> > >
> > > an md5 hash of an md5 hash
> > >
> > > =====
> > >
> > > 2009/10/15 Márcio Cardoso <marciomaiden at gmail.com>:
> > >> Good night,
> > >>
> > >> will be possible that someone could help me with 2 problems I have?
> > I'm
> > >> trying to create a stored procedure in mysql to add users, but do
> > not know
> > >> how UUID is generated. anyone have any idea how this happens?
> > Another
> > >> problem is how is the encoding of the password.
> > >>
> > >> The ideal was to have access to the code that opensim uses to add
> > avatars.
> > >> but I got tired of looking and nothing. I thank you for your help.
> > >>
> > >> Greetings,
> > >>
> > >> Márcio Cardoso
> > >>
> > >> _______________________________________________
> > >> Opensim-dev mailing list
> > >> Opensim-dev at lists.berlios.de
> > >> https://lists.berlios.de/mailman/listinfo/opensim-dev
> > >>
> > >>
> > > _______________________________________________
> > > Opensim-dev mailing list
> > > Opensim-dev at lists.berlios.de
> > > https://lists.berlios.de/mailman/listinfo/opensim-dev
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at lists.berlios.de
> > https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20091016/9cd98516/attachment-0001.html>
More information about the Opensim-dev
mailing list