[Opensim-dev] open sim UUID and Passwordhash
Melanie
melanie at t-data.com
Fri Oct 16 11:11:06 UTC 2009
I have changed that after I discovered it. In trunk, it now uses a
random salt.
Melanie
Impalah Shenzhou wrote:
> This comes from UserManagerBase.AddUser (0.6.6):
>
> string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" +
> String.Empty);
>
> The salt should be where String.Empty is.
>
> I think it doesn't change in the most recent versions, so the "create user"
> method of the console (both standalone and ugaim) are unsecure by default.
>
>
> Anyway, I agree with Melanie and Adam that the salt is needed for improving
> security, if not a random salt every time you create an user, at least a
> long and secret unique salt.
>
> Greetings
>
>
>
> 2009/10/16 Frisby, Adam <adam at deepthink.com.au>
>
>> +1 to Melanie, that code is *not* secure. It is salted with a ":" but
>> that's a fixed known salt.
>>
>> This is what I suggest:
>>
>> $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or
>> any other good random source
>> $passwordHash = md5(md5($password) . ':' . $passwordSalt);
>>
>> $passwordSalt should be unique among your database (very likely with the
>> above code); if there are duplicates, then it allows dictionary attacks to
>> be done, the more duplicates, the more effective it is.
>>
>> Adam
>>
>> > -----Original Message-----
>> > From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
>> > bounces at lists.berlios.de] On Behalf Of Melanie
>> > Sent: Thursday, 15 October 2009 4:14 PM
>> > To: opensim-dev at lists.berlios.de
>> > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash
>> >
>> > Please don't use that code. It creates unsalted hashes, which are
>> > not secure.
>> > The "" should be a ranndom salt, stored in the passwordSalt field in
>> > the DB. If that is blank, you're running a very insecure system
>> >
>> >
>> > Melanie
>> >
>> >
>> > Rich White wrote:
>> > > here is the PHP code - $password_hash = md5(md5($password) . ":"
>> > ."");
>> > >
>> > > an md5 hash of an md5 hash
>> > >
>> > > =====
>> > >
>> > > 2009/10/15 Márcio Cardoso <marciomaiden at gmail.com>:
>> > >> Good night,
>> > >>
>> > >> will be possible that someone could help me with 2 problems I have?
>> > I'm
>> > >> trying to create a stored procedure in mysql to add users, but do
>> > not know
>> > >> how UUID is generated. anyone have any idea how this happens?
>> > Another
>> > >> problem is how is the encoding of the password.
>> > >>
>> > >> The ideal was to have access to the code that opensim uses to add
>> > avatars.
>> > >> but I got tired of looking and nothing. I thank you for your help.
>> > >>
>> > >> Greetings,
>> > >>
>> > >> Márcio Cardoso
>> > >>
>> > >> _______________________________________________
>> > >> Opensim-dev mailing list
>> > >> Opensim-dev at lists.berlios.de
>> > >> https://lists.berlios.de/mailman/listinfo/opensim-dev
>> > >>
>> > >>
>> > > _______________________________________________
>> > > Opensim-dev mailing list
>> > > Opensim-dev at lists.berlios.de
>> > > https://lists.berlios.de/mailman/listinfo/opensim-dev
>> >
>> > _______________________________________________
>> > Opensim-dev mailing list
>> > Opensim-dev at lists.berlios.de
>> > https://lists.berlios.de/mailman/listinfo/opensim-dev
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-dev
>>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list