On Thu, 19 Apr 2012 10:23:16 +0200, Kjell Rilbe <[email protected]> wrote: > Den 2012-04-19 10:17 skrev Dmitry Yemanov såhär: >> 19.04.2012 12:02, Mark Rotteveel wrote: >> >>> Ok, that sounds relatively easy. What is the hashing algorithm, and >>> where >>> in the Firebird sources can I find its implementation? >> Something derived from DES, AFAIK. See ENC_crypt(), located in /src/jrd/ >> (pre-FB3) or in /src/common/ (trunk). > > Er... I am a real novice when it comes to security, but perhaps you in > the dev team should read this, which has something to say about passord > hashes based on DES (too fast): > > http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html > > I've also seen mention of Rfc2898, which seems to be a good option for > password hashes.
We are discussing the legacy password hash, that is being used by Firebird 2.5 and earlier (and if I understand Dmitry correctly: has been in use since before IB6). Firebird 3 will use SRP (http://www.ietf.org/rfc/rfc2945.txt ) for secure authentication. Mark ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
