A long fixed salt doesn't help over the simple ":" in any practical way. The salt must be unique for each user for decent security.
Adam From: [email protected] [mailto:[email protected]] On Behalf Of Impalah Shenzhou Sent: Friday, 16 October 2009 3:44 AM To: [email protected] Subject: Re: [Opensim-dev] open sim UUID and Passwordhash This comes from UserManagerBase.AddUser (0.6.6): string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + String.Empty); The salt should be where String.Empty is. I think it doesn't change in the most recent versions, so the "create user" method of the console (both standalone and ugaim) are unsecure by default. Anyway, I agree with Melanie and Adam that the salt is needed for improving security, if not a random salt every time you create an user, at least a long and secret unique salt. Greetings 2009/10/16 Frisby, Adam <[email protected]<mailto:[email protected]>> +1 to Melanie, that code is *not* secure. It is salted with a ":" but that's a fixed known salt. This is what I suggest: $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or any other good random source $passwordHash = md5(md5($password) . ':' . $passwordSalt); $passwordSalt should be unique among your database (very likely with the above code); if there are duplicates, then it allows dictionary attacks to be done, the more duplicates, the more effective it is. Adam > -----Original Message----- > From: > [email protected]<mailto:[email protected]> > [mailto:opensim-dev-<mailto:opensim-dev-> > [email protected]<mailto:[email protected]>] On Behalf Of > Melanie > Sent: Thursday, 15 October 2009 4:14 PM > To: [email protected]<mailto:[email protected]> > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash > > Please don't use that code. It creates unsalted hashes, which are > not secure. > The "" should be a ranndom salt, stored in the passwordSalt field in > the DB. If that is blank, you're running a very insecure system > > > Melanie > > > Rich White wrote: > > here is the PHP code - $password_hash = md5(md5($password) . ":" > .""); > > > > an md5 hash of an md5 hash > > > > ===== > > > > 2009/10/15 Márcio Cardoso > > <[email protected]<mailto:[email protected]>>: > >> Good night, > >> > >> will be possible that someone could help me with 2 problems I have? > I'm > >> trying to create a stored procedure in mysql to add users, but do > not know > >> how UUID is generated. anyone have any idea how this happens? > Another > >> problem is how is the encoding of the password. > >> > >> The ideal was to have access to the code that opensim uses to add > avatars. > >> but I got tired of looking and nothing. I thank you for your help. > >> > >> Greetings, > >> > >> Márcio Cardoso > >> > >> _______________________________________________ > >> Opensim-dev mailing list > >> [email protected]<mailto:[email protected]> > >> https://lists.berlios.de/mailman/listinfo/opensim-dev > >> > >> > > _______________________________________________ > > Opensim-dev mailing list > > [email protected]<mailto:[email protected]> > > https://lists.berlios.de/mailman/listinfo/opensim-dev > > _______________________________________________ > Opensim-dev mailing list > [email protected]<mailto:[email protected]> > https://lists.berlios.de/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list [email protected]<mailto:[email protected]> https://lists.berlios.de/mailman/listinfo/opensim-dev
_______________________________________________ Opensim-dev mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-dev
