Hi, What about using a Salt<http://en.wikipedia.org/wiki/Salt_%28cryptography%29>which is a different unique string for each user (UTC time for the creation of the user) + SHA2? This would prevent to access different projects with the password, as each user will have a different Salt in each project.
Regards, Daniel On Tue, Oct 25, 2011 at 13:05, Jonathan Miller < [email protected]> wrote: > At Climate Prediction dot Net we have just had an SQL injection incident > which lead (due to poor security on our part, not BOINC's) to user emails > and password hashes being obtained. > > Given that MD5 can be cracked relatively quickly, are there any plans to > move away from MD5 hashing of the password/email authentication for BOINC? > > The PHP manual recommends against using MD5 because it is no longer > considered strong enough. > http://us2.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash > > We have gone to some lengths to notify our users of this incident, and > we've had quite a few responses from volunteers who have used the same > email/password combination on other BOINC projects and websites. > > This causes me some concern because, given that BOINC is open source, it is > trivially easy for a cracker to determine the function that writes the hash > to the database, and note how the hash is constructed by appending the email > address to the password. > > The attackers on our site virtually always grabbed the email address and > the password hash in the same query, so the crackers have half the hash's > input (the email address) only have to guess the password part; the fact > that the password hash incorporates the email address does not really add > any security (other than preventing simple searches on sites such as > http://passcracking.com/ ) > > What are your thoughts and/or plans on this issue? > > Jonathan Miller > System Administrator > Climate Prediction dot Net, University of Oxford > _______________________________________________ > boinc_dev mailing list > [email protected] > http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev > To unsubscribe, visit the above URL and > (near bottom of page) enter your email address. > -- ·························································································································································· http://github.com/teleyinex http://www.flickr.com/photos/teleyinex ·························································································································································· Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino PDF, HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. ·························································································································································· _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
