[Opensim-dev] open sim UUID and Passwordhash

Fri Oct 16 11:11:10 UTC 2009

A long fixed salt doesn't help over the simple ":" in any practical way. The salt must be unique for each user for decent security.

Adam

From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-bounces at lists.berlios.de] On Behalf Of Impalah Shenzhou
Sent: Friday, 16 October 2009 3:44 AM
To: opensim-dev at lists.berlios.de
Subject: Re: [Opensim-dev] open sim UUID and Passwordhash

This comes from UserManagerBase.AddUser (0.6.6):

string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + String.Empty);

The salt should be where String.Empty is.

I think it doesn't change in the most recent versions, so the "create user" method of the console (both standalone and ugaim) are unsecure by default.

Anyway, I agree with Melanie and Adam that the salt is needed for improving security, if not a random salt every time you create an user, at least a long and secret unique salt.

Greetings

2009/10/16 Frisby, Adam <adam at deepthink.com.au<mailto:adam at deepthink.com.au>>
+1 to Melanie, that code is *not* secure. It is salted with a ":" but that's a fixed known salt.

This is what I suggest:

$passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or any other good random source
$passwordHash = md5(md5($password) . ':' . $passwordSalt);

$passwordSalt should be unique among your database (very likely with the above code); if there are duplicates, then it allows dictionary attacks to be done, the more duplicates, the more effective it is.

Adam

> -----Original Message-----
> From: opensim-dev-bounces at lists.berlios.de<mailto:opensim-dev-bounces at lists.berlios.de> [mailto:opensim-dev-<mailto:opensim-dev->
> bounces at lists.berlios.de<mailto:bounces at lists.berlios.de>] On Behalf Of Melanie
> Sent: Thursday, 15 October 2009 4:14 PM
> To: opensim-dev at lists.berlios.de<mailto:opensim-dev at lists.berlios.de>
> Subject: Re: [Opensim-dev] open sim UUID and Passwordhash
>
> Please don't use that code. It creates unsalted hashes, which are
> not secure.
> The "" should be a ranndom salt, stored in the passwordSalt field in
> the DB. If that is blank, you're running a very insecure system
>
>
> Melanie
>
>
> Rich White wrote:
> > here is the PHP code - $password_hash = md5(md5($password) . ":"
> ."");
> >
> > an md5 hash of an md5 hash
> >
> > =====
> >
> > 2009/10/15 Márcio Cardoso <marciomaiden at gmail.com<mailto:marciomaiden at gmail.com>>:
> >> Good night,
> >>
> >> will be possible that someone could help me with 2 problems I have?
> I'm
> >> trying to create a stored procedure in mysql to add users, but do
> not know
> >> how UUID  is generated. anyone have any idea how this happens?
> Another
> >> problem is how is the encoding of the password.
> >>
> >> The ideal was to have access to the code that  opensim uses to add
> avatars.
> >> but I got tired of looking and nothing. I thank you for your help.
> >>
> >> Greetings,
> >>
> >> Márcio Cardoso
> >>
> >> _______________________________________________
> >> Opensim-dev mailing list
> >> Opensim-dev at lists.berlios.de<mailto:Opensim-dev at lists.berlios.de>
> >> https://lists.berlios.de/mailman/listinfo/opensim-dev
> >>
> >>
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at lists.berlios.de<mailto:Opensim-dev at lists.berlios.de>
> > https://lists.berlios.de/mailman/listinfo/opensim-dev
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de<mailto:Opensim-dev at lists.berlios.de>
> https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________
Opensim-dev mailing list
Opensim-dev at lists.berlios.de<mailto:Opensim-dev at lists.berlios.de>
https://lists.berlios.de/mailman/listinfo/opensim-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20091016/9f66968d/attachment-0001.html>