[Opensim-dev] open sim UUID and Passwordhash
diva at metaverseink.com
diva at metaverseink.com
Fri Oct 16 16:22:14 UTC 2009
The usual warning, I'm a broken record:
there is very little security in open OpenSim grids right now.
Daniel Smith wrote:
>
> Not the best place to go over crypto 101, but for those unfamiliar with
> the insecurity of md5("password") by itself, you owe yourself a visit to
> some place like http://www.md5crack.com/crackmd5.php. It'll open your
> eyes quickly.
>
> Try "20ee80e63596799a1543bc9fd88d8878" -- it's ok, just a rabbit. Not
> my password.
>
> The point that others here are making about salt is pretty valid
> (incoming IP address + timestamp + username can be a good start).
> You'll have to store the salt somewhere, because you'll never get the
> same one again, and you'll need to add it to the users incoming pw to
> hash again and compare...
>
> And +1 to Adam's comment on transmission and storage requirements. Not
> addressing security 101 will leave you with a site incapable of
> transmitting anything (or much worse..)
>
> Daniel
>
> --
> Daniel Smith - Sonoma County, California
> http://daniel.org/resume
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list