[Opensim-dev] open sim UUID and Passwordhash

Impalah Shenzhou impalah at gmail.com
Fri Oct 16 11:37:13 UTC 2009 

Thanks for the info Melanie.

Adam, I consider Drupal, for example, a CMS with a decent security and it
only uses md5(plain_password) to store user passwords. Some php frameworks
(for example Code Igniter, Cake php...) use, but not mandatory, an unique
hash for all the application.

A random hash for every user improves security, you're right, but increases
the data sent between DB and servers for every authentication. I prefer not
to overload data transmission for something I think is overprotection. Maybe
for 10 or 100 users there won't be no problems, but think on 10000 and each
byte will count (they aren't cheap).

If you have a long, secret and unique hash for your servers, who can make an
effective attack to you (at least in reasonable time)?

Maybe the difference could be that Drupal used to be deployed over Apache,
and it can be protected against dictionary attacks activating some modules,
while Opensim/UGAIM are servers "per se", basic servers.

It's my opinion, if you don't like it, I have more :-P

Greetings


2009/10/16 Frisby, Adam <adam at deepthink.com.au>

>  A long fixed salt doesn’t help over the simple “:” in any practical way.
> The salt *must* be unique for each user for decent security.
>
>
>
> Adam
>
>
>
> *From:* opensim-dev-bounces at lists.berlios.de [mailto:
> opensim-dev-bounces at lists.berlios.de] *On Behalf Of *Impalah Shenzhou
> *Sent:* Friday, 16 October 2009 3:44 AM
>
> *To:* opensim-dev at lists.berlios.de
> *Subject:* Re: [Opensim-dev] open sim UUID and Passwordhash
>
>
>
> This comes from UserManagerBase.AddUser (0.6.6):
>
> string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" +
> String.Empty);
>
> The salt should be where String.Empty is.
>
> I think it doesn't change in the most recent versions, so the "create user"
> method of the console (both standalone and ugaim) are unsecure by default.
>
>
> Anyway, I agree with Melanie and Adam that the salt is needed for improving
> security, if not a random salt every time you create an user, at least a
> long and secret unique salt.
>
> Greetings
>
>
>  2009/10/16 Frisby, Adam <adam at deepthink.com.au>
>
> +1 to Melanie, that code is *not* secure. It is salted with a ":" but
> that's a fixed known salt.
>
> This is what I suggest:
>
> $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or
> any other good random source
> $passwordHash = md5(md5($password) . ':' . $passwordSalt);
>
> $passwordSalt should be unique among your database (very likely with the
> above code); if there are duplicates, then it allows dictionary attacks to
> be done, the more duplicates, the more effective it is.
>
> Adam
>
>
> > -----Original Message-----
> > From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
> > bounces at lists.berlios.de] On Behalf Of Melanie
> > Sent: Thursday, 15 October 2009 4:14 PM
> > To: opensim-dev at lists.berlios.de
> > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash
> >
> > Please don't use that code. It creates unsalted hashes, which are
> > not secure.
> > The "" should be a ranndom salt, stored in the passwordSalt field in
> > the DB. If that is blank, you're running a very insecure system
> >
> >
> > Melanie
> >
> >
> > Rich White wrote:
> > > here is the PHP code - $password_hash = md5(md5($password) . ":"
> > ."");
> > >
> > > an md5 hash of an md5 hash
> > >
> > > =====
> > >
> > > 2009/10/15 Márcio Cardoso <marciomaiden at gmail.com>:
> > >> Good night,
> > >>
> > >> will be possible that someone could help me with 2 problems I have?
> > I'm
> > >> trying to create a stored procedure in mysql to add users, but do
> > not know
> > >> how UUID  is generated. anyone have any idea how this happens?
> > Another
> > >> problem is how is the encoding of the password.
> > >>
> > >> The ideal was to have access to the code that  opensim uses to add
> > avatars.
> > >> but I got tired of looking and nothing. I thank you for your help.
> > >>
> > >> Greetings,
> > >>
> > >> Márcio Cardoso
> > >>
> > >> _______________________________________________
> > >> Opensim-dev mailing list
> > >> Opensim-dev at lists.berlios.de
> > >> https://lists.berlios.de/mailman/listinfo/opensim-dev
> > >>
> > >>
> > > _______________________________________________
> > > Opensim-dev mailing list
> > > Opensim-dev at lists.berlios.de
> > > https://lists.berlios.de/mailman/listinfo/opensim-dev
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at lists.berlios.de
> > https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20091016/51719438/attachment-0001.html>

More information about the Opensim-dev mailing list