Re: [glob2-devel] Encryption, security, and a new glob2 dependancy

glob2-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [glob2-devel] Encryption, security, and a new glob2 dependancy

From:	Leo Wandersleb
Subject:	Re: [glob2-devel] Encryption, security, and a new glob2 dependancy
Date:	Wed, 02 May 2007 13:16:41 +0200
User-agent:	Icedove 1.5.0.10 (X11/20070328)

Martin Voelkle wrote:

I have talked to a few computer security gurus on IRC, and have
learned a little bit about security and how I could achieve it.

First of all, the only data that YOG transfers which could be
considered sensitive is the password for a user.

First of all, storing the password on the harddisk safely:

I was informed that I should use a non-reversible transformation on
the password, and store the transformed version. I had learned that
you could use the password as the key to encrypt a string of spaces.
The gurus reccomended SHA1 and/or MD5 and/or other, more difficult
algorithms, and or some combination of them. They also reccomend I add
salt to the password, to make it a given length. One guy jokingly
suggested I use one hash as the salt for another hash, just to
"mindfuck" them. Not a bad idea, thinks me.


Since this is supposed to be GPL, there is no security enhancement by
using "mindfucking" techniques. The order and combination of the
hashes is publicly documented in the code. I'm also not sure about
salting, because the salt can also be reconstructed in any brute force
attack.

sure. brute force attacks specially designed for glob2 can't be stopped by that.but they take years to find passwords as they would have to check passwords onevery single login. if not salted you simply search md5("test123") in the hashedpasswords column and find who uses this password.

I will likely use some obscure combination of SHA1, MD5, and maybe
another hash function to store the password. This is almost trivial to
do, and unbreakable to a certain extent. Not that anyone will really
be getting into YOG passwords anyhow.


I think the only way to be secure is to chose a good hashing function.
MD5 is a bad one. SHA1 seems also flawed. Better use SHA256 or SHA512.
http://en.wikipedia.org/wiki/Cryptographic_hash_function

in my eyes salted md5 is absolutly more than sufficient. please don't useseveral algos as this is more lines of code with no extra value.


hash=md5(md5(login)+password)

and don't take more efford than neccessary. it's only a game. passwords shouldbe secured to a certain degree as they might be used elsewhere, too but don'tput in all your energy.


Leo Wandersleb

[Prev in Thread]

Current Thread

[Next in Thread]

[glob2-devel] Encryption, security, and a new glob2 dependancy, Bradley Arsenault, 2007/05/01
- Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Kieran P, 2007/05/01
  - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Kai Antweiler, 2007/05/02
  - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Leo Wandersleb, 2007/05/02
    - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Kieran P, 2007/05/02
- Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Martin Voelkle, 2007/05/02
  - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Leo Wandersleb <=
    - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Stéphane Magnenat, 2007/05/02
    - Re: [glob2-devel] Encryption, security, and a new glob2 dependancy, Martin Voelkle, 2007/05/02

Prev by Date: Re: [glob2-devel] all your bases are belong to Nicowar
Next by Date: Re: [glob2-devel] Encryption, security, and a new glob2 dependancy
Previous by thread: Re: [glob2-devel] Encryption, security, and a new glob2 dependancy
Next by thread: Re: [glob2-devel] Encryption, security, and a new glob2 dependancy
Index(es):
- Date
- Thread