[Opensim-dev] open sim UUID and Passwordhash
Daniel Smith
javajoint at gmail.com
Fri Oct 16 15:39:47 UTC 2009
Not the best place to go over crypto 101, but for those unfamiliar with the
insecurity of md5("password") by itself, you owe yourself a visit to some
place like http://www.md5crack.com/crackmd5.php. It'll open your eyes
quickly.
Try "20ee80e63596799a1543bc9fd88d8878" -- it's ok, just a rabbit. Not my
password.
The point that others here are making about salt is pretty valid (incoming
IP address + timestamp + username can be a good start). You'll have to
store the salt somewhere, because you'll never get the same one again, and
you'll need to add it to the users incoming pw to hash again and compare...
And +1 to Adam's comment on transmission and storage requirements. Not
addressing security 101 will leave you with a site incapable of transmitting
anything (or much worse..)
Daniel
--
Daniel Smith - Sonoma County, California
http://daniel.org/resume
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20091016/c512e4b9/attachment-0001.html>
More information about the Opensim-dev
mailing list