Thanks for the info Melanie.<br><br>Adam, I consider Drupal, for example, a CMS with a decent security and it only uses md5(plain_password) to store user passwords. Some php frameworks (for example Code Igniter, Cake php...) use, but not mandatory, an unique hash for all the application.<br>
<br>A random hash for every user improves security, you're right, but increases the data sent between DB and servers for every authentication. I prefer not to overload data transmission for something I think is overprotection. Maybe for 10 or 100 users there won't be no problems, but think on 10000 and each byte will count (they aren't cheap).<br>
<br>If you have a long, secret and unique hash for your servers, who can make an effective attack to you (at least in reasonable time)?<br><br>Maybe the difference could be that Drupal used to be deployed over Apache, and it can be protected against dictionary attacks activating some modules, while Opensim/UGAIM are servers "per se", basic servers.<br>
<br>It's my opinion, if you don't like it, I have more :-P<br><br>Greetings<br><br><br><div class="gmail_quote">2009/10/16 Frisby, Adam <span dir="ltr"><<a href="mailto:adam@deepthink.com.au">adam@deepthink.com.au</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-AU">
<div>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">A long fixed salt doesn’t help over the simple “:” in any
practical way. The salt <b>must</b> be unique for each user for decent security.</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);">Adam</span></p>
<p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p>
<div style="border-style: none none none solid; border-color: -moz-use-text-color -moz-use-text-color -moz-use-text-color blue; border-width: medium medium medium 1.5pt; padding: 0cm 0cm 0cm 4pt;">
<div>
<div style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0cm 0cm;">
<p class="MsoNormal"><b><span style="font-size: 10pt;" lang="EN-US">From:</span></b><span style="font-size: 10pt;" lang="EN-US"> <a href="mailto:opensim-dev-bounces@lists.berlios.de" target="_blank">opensim-dev-bounces@lists.berlios.de</a>
[mailto:<a href="mailto:opensim-dev-bounces@lists.berlios.de" target="_blank">opensim-dev-bounces@lists.berlios.de</a>] <b>On Behalf Of </b>Impalah
Shenzhou<br>
<b>Sent:</b> Friday, 16 October 2009 3:44 AM<div><div></div><div class="h5"><br>
<b>To:</b> <a href="mailto:opensim-dev@lists.berlios.de" target="_blank">opensim-dev@lists.berlios.de</a><br>
<b>Subject:</b> Re: [Opensim-dev] open sim UUID and Passwordhash</div></div></span></p>
</div>
</div><div><div></div><div class="h5">
<p class="MsoNormal"> </p>
<p class="MsoNormal" style="margin-bottom: 12pt;">This comes from
UserManagerBase.AddUser (0.6.6):<br>
<br>
string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" +
String.Empty);<br>
<br>
The salt should be where String.Empty is.<br>
<br>
I think it doesn't change in the most recent versions, so the "create
user" method of the console (both standalone and ugaim) are unsecure by
default.<br>
<br>
<br>
Anyway, I agree with Melanie and Adam that the salt is needed for improving
security, if not a random salt every time you create an user, at least a long
and secret unique salt.<br>
<br>
Greetings<br>
<br>
<br>
</p>
<div>
<p class="MsoNormal">2009/10/16 Frisby, Adam <<a href="mailto:adam@deepthink.com.au" target="_blank">adam@deepthink.com.au</a>></p>
<p class="MsoNormal">+1 to Melanie, that code is *not* secure. It is salted with
a ":" but that's a fixed known salt.<br>
<br>
This is what I suggest:<br>
<br>
$passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or any
other good random source<br>
$passwordHash = md5(md5($password) . ':' . $passwordSalt);<br>
<br>
$passwordSalt should be unique among your database (very likely with the above
code); if there are duplicates, then it allows dictionary attacks to be done,
the more duplicates, the more effective it is.<br>
<span style="color: rgb(136, 136, 136);"><br>
Adam</span></p>
<div>
<div>
<p class="MsoNormal"><br>
> -----Original Message-----<br>
> From: <a href="mailto:opensim-dev-bounces@lists.berlios.de" target="_blank">opensim-dev-bounces@lists.berlios.de</a>
[mailto:<a href="mailto:opensim-dev-" target="_blank">opensim-dev-</a><br>
> <a href="mailto:bounces@lists.berlios.de" target="_blank">bounces@lists.berlios.de</a>] On
Behalf Of Melanie<br>
> Sent: Thursday, 15 October 2009 4:14 PM<br>
> To: <a href="mailto:opensim-dev@lists.berlios.de" target="_blank">opensim-dev@lists.berlios.de</a><br>
> Subject: Re: [Opensim-dev] open sim UUID and Passwordhash<br>
><br>
> Please don't use that code. It creates unsalted hashes, which are<br>
> not secure.<br>
> The "" should be a ranndom salt, stored in the passwordSalt
field in<br>
> the DB. If that is blank, you're running a very insecure system<br>
><br>
><br>
> Melanie<br>
><br>
><br>
> Rich White wrote:<br>
> > here is the PHP code - $password_hash = md5(md5($password) .
":"<br>
> ."");<br>
> ><br>
> > an md5 hash of an md5 hash<br>
> ><br>
> > =====<br>
> ><br>
> > 2009/10/15 Márcio Cardoso <<a href="mailto:marciomaiden@gmail.com" target="_blank">marciomaiden@gmail.com</a>>:<br>
> >> Good night,<br>
> >><br>
> >> will be possible that someone could help me with 2 problems I
have?<br>
> I'm<br>
> >> trying to create a stored procedure in mysql to add users, but do<br>
> not know<br>
> >> how UUID is generated. anyone have any idea how this
happens?<br>
> Another<br>
> >> problem is how is the encoding of the password.<br>
> >><br>
> >> The ideal was to have access to the code that opensim uses
to add<br>
> avatars.<br>
> >> but I got tired of looking and nothing. I thank you for your
help.<br>
> >><br>
> >> Greetings,<br>
> >><br>
> >> Márcio Cardoso<br>
> >><br>
> >> _______________________________________________<br>
> >> Opensim-dev mailing list<br>
> >> <a href="mailto:Opensim-dev@lists.berlios.de" target="_blank">Opensim-dev@lists.berlios.de</a><br>
> >> <a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
> >><br>
> >><br>
> > _______________________________________________<br>
> > Opensim-dev mailing list<br>
> > <a href="mailto:Opensim-dev@lists.berlios.de" target="_blank">Opensim-dev@lists.berlios.de</a><br>
> > <a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
><br>
> _______________________________________________<br>
> Opensim-dev mailing list<br>
> <a href="mailto:Opensim-dev@lists.berlios.de" target="_blank">Opensim-dev@lists.berlios.de</a><br>
> <a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
_______________________________________________<br>
Opensim-dev mailing list<br>
<a href="mailto:Opensim-dev@lists.berlios.de" target="_blank">Opensim-dev@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a></p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div></div></div>
</div>
</div>
<br>_______________________________________________<br>
Opensim-dev mailing list<br>
<a href="mailto:Opensim-dev@lists.berlios.de">Opensim-dev@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br>
<br></blockquote></div><br>