[Opensim-dev] open sim UUID and Passwordhash
Frisby, Adam
adam at deepthink.com.au
Fri Oct 16 18:34:08 UTC 2009
Seconded. There are other weak points which could be more easily addressed at the current point in time; but I do expect many of those to finally get ironed out.
Adam
> -----Original Message-----
> From: opensim-dev-bounces at lists.berlios.de [mailto:opensim-dev-
> bounces at lists.berlios.de] On Behalf Of diva at metaverseink.com
> Sent: Friday, 16 October 2009 9:22 AM
> To: opensim-dev at lists.berlios.de
> Subject: Re: [Opensim-dev] open sim UUID and Passwordhash
>
> The usual warning, I'm a broken record:
> there is very little security in open OpenSim grids right now.
>
> Daniel Smith wrote:
> >
> > Not the best place to go over crypto 101, but for those unfamiliar
> with
> > the insecurity of md5("password") by itself, you owe yourself a visit
> to
> > some place like http://www.md5crack.com/crackmd5.php. It'll open
> your
> > eyes quickly.
> >
> > Try "20ee80e63596799a1543bc9fd88d8878" -- it's ok, just a rabbit.
> Not
> > my password.
> >
> > The point that others here are making about salt is pretty valid
> > (incoming IP address + timestamp + username can be a good start).
> > You'll have to store the salt somewhere, because you'll never get the
> > same one again, and you'll need to add it to the users incoming pw to
> > hash again and compare...
> >
> > And +1 to Adam's comment on transmission and storage requirements.
> Not
> > addressing security 101 will leave you with a site incapable of
> > transmitting anything (or much worse..)
> >
> > Daniel
> >
> > --
> > Daniel Smith - Sonoma County, California
> > http://daniel.org/resume
> >
> >
> > ---------------------------------------------------------------------
> ---
> >
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at lists.berlios.de
> > https://lists.berlios.de/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
More information about the Opensim-dev
mailing list