Hi,
I would strongly suggest to hash them a second time after appending a
salt (the salt could even be fixed). The Server would then check the
password by generating the hash sha1(sha1(password + salt)).
If we don't do add a salt of any way, the passwords are not very
secure, as unsalted Passwords are quickly decrypted using Rainbow Tables
(sort of heavily compressed hash lookup). To see how easy this is look
at http://freerainbowtables.com, where you can download tables for
passwords with up to 9 characters, depending on complexibility of the
password.
Regards
On Sat, 16 Jul 2011 11:01:39 +0200, Stéphane Magnenat
<[email protected]> wrote:
Hello,
Stephane do you have any idea how to handle this correctly?
The correct way would be to see where yog checks the passwords and to
add a hash there. We can then apply the same hash function to the
password data.
I've been looking in YOG's source code, the passwords seem to be
already hashed using SHA1, see src/YOGServerPasswordRegistry.cpp:113
Therefore, it is probably safe to transmit password data. What do you
think?
Stéph
--
Dr Stéphane Magnenat
http://stephane.magnenat.net
_______________________________________________
glob2-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/glob2-devel
_______________________________________________
glob2-devel mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/glob2-devel
