Alan M Webb wrote: > > If everyone is really concerned about security, then perhaps we should > stop using MD5?
;-) who's going to tell the LL clients that? cheers, DrS/dirk > > Best regards > Alan > ------------------- > T.J. Watson Research Center, Hawthorne, NY > 1-914-784-7286 > alan_w...@us.ibm.com > > > From: "Frisby, Adam" <a...@deepthink.com.au> > To: "opensim-dev@lists.berlios.de" <opensim-dev@lists.berlios.de> > Date: 10/16/2009 09:06 AM > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash > > > ------------------------------------------------------------------------ > > > > Just because other software may do it wrong does not mean it is secure. > > Drupal using a plain MD5 is alarming – since it allows for very quick > plain lookups in existing databases (no need to calculate the dictionary > + permuation with your fixed salt). Storing a custom salt for each user > is essential if you wish to make dictionary attacks significantly more > expensive. (Actually it also allows for plain collision attacks too.) > > Consider this case: > · Calculate Every Permutation of the Dictionary plus a couple of > common modifications, plus your fixed salt. (this will get ~80%+ of user > passwords). > Versus > · Do the above, but for each user – since the salt is changing > per user. > > The second will take ‘n’ times longer to calculate (where N is > equivalent to the size of your database), it also works in the inverse – > if you have a 10 million user database, it means you need 1/10millionth > of the time to try calculate a valid hit. It adds up. Bigtime. > > A unique hash for the whole application helps against global world-wide > MD5 databases, but it still does not help the above situation. > > Frankly the storage and transmission size arguments are complete bunk. > We are talking 128-bits extra data per user for a good salt which adds > up to about ‘jack shit’ when summed over the lifetime of the > application. It takes very little extra time, and we already stuff that > data into our default database schemas. > > Likewise, having a long salt versus a short salt makes very little > difference – because it’s the uniqueness that counts (see the two cases > above.) > > Short summary of the above: Do it if you have any desire to follow good > security practices with your users. It takes almost no extra time and > gives you appreciable benefits. > > Adam > > *From:* opensim-dev-boun...@lists.berlios.de > [mailto:opensim-dev-boun...@lists.berlios.de] *On Behalf Of *Impalah > Shenzhou* > Sent:* Friday, 16 October 2009 4:37 AM* > To:* opensim-...@lists.berlios.de* > Subject:* Re: [Opensim-dev] open sim UUID and Passwordhash > > Thanks for the info Melanie. > > Adam, I consider Drupal, for example, a CMS with a decent security and > it only uses md5(plain_password) to store user passwords. Some php > frameworks (for example Code Igniter, Cake php...) use, but not > mandatory, an unique hash for all the application. > > A random hash for every user improves security, you're right, but > increases the data sent between DB and servers for every authentication. > I prefer not to overload data transmission for something I think is > overprotection. Maybe for 10 or 100 users there won't be no problems, > but think on 10000 and each byte will count (they aren't cheap). > > If you have a long, secret and unique hash for your servers, who can > make an effective attack to you (at least in reasonable time)? > > Maybe the difference could be that Drupal used to be deployed over > Apache, and it can be protected against dictionary attacks activating > some modules, while Opensim/UGAIM are servers "per se", basic servers. > > It's my opinion, if you don't like it, I have more :-P > > Greetings > > 2009/10/16 Frisby, Adam <_a...@deepthink.com.au_ > <mailto:a...@deepthink.com.au>> > A long fixed salt doesn’t help over the simple “:” in any practical way. > The salt *must* be unique for each user for decent security. > > Adam > > *From:* _opensim-dev-boun...@lists.berlios.de_ > <mailto:opensim-dev-boun...@lists.berlios.de> > [mailto:_opensim-dev-boun...@lists.berlios.de_ > <mailto:opensim-dev-boun...@lists.berlios.de>] *On Behalf Of *Impalah > Shenzhou* > Sent:* Friday, 16 October 2009 3:44 AM > * > To:* _opensim-...@lists.berlios.de_ <mailto:opensim-dev@lists.berlios.de>* > Subject:* Re: [Opensim-dev] open sim UUID and Passwordhash > > This comes from UserManagerBase.AddUser (0.6.6): > > string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + > String.Empty); > > The salt should be where String.Empty is. > > I think it doesn't change in the most recent versions, so the "create > user" method of the console (both standalone and ugaim) are unsecure by > default. > > > Anyway, I agree with Melanie and Adam that the salt is needed for > improving security, if not a random salt every time you create an user, > at least a long and secret unique salt. > > Greetings > > 2009/10/16 Frisby, Adam <_a...@deepthink.com.au_ > <mailto:a...@deepthink.com.au>> > +1 to Melanie, that code is *not* secure. It is salted with a ":" but > that's a fixed known salt. > > This is what I suggest: > > $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // > or any other good random source > $passwordHash = md5(md5($password) . ':' . $passwordSalt); > > $passwordSalt should be unique among your database (very likely with the > above code); if there are duplicates, then it allows dictionary attacks > to be done, the more duplicates, the more effective it is. > > Adam > >> -----Original Message----- >> From: _opensim-dev-boun...@lists.berlios.de_ > <mailto:opensim-dev-boun...@lists.berlios.de> [mailto:_opensim-dev-_ > <mailto:opensim-dev-> >> _boun...@lists.berlios.de_ <mailto:boun...@lists.berlios.de>] On > Behalf Of Melanie >> Sent: Thursday, 15 October 2009 4:14 PM >> To: _opensim-...@lists.berlios.de_ <mailto:opensim-dev@lists.berlios.de> >> Subject: Re: [Opensim-dev] open sim UUID and Passwordhash >> >> Please don't use that code. It creates unsalted hashes, which are >> not secure. >> The "" should be a ranndom salt, stored in the passwordSalt field in >> the DB. If that is blank, you're running a very insecure system >> >> >> Melanie >> >> >> Rich White wrote: >> > here is the PHP code - $password_hash = md5(md5($password) . ":" >> .""); >> > >> > an md5 hash of an md5 hash >> > >> > ===== >> > >> > 2009/10/15 Márcio Cardoso <_marciomai...@gmail.com_ > <mailto:marciomai...@gmail.com>>: >> >> Good night, >> >> >> >> will be possible that someone could help me with 2 problems I have? >> I'm >> >> trying to create a stored procedure in mysql to add users, but do >> not know >> >> how UUID is generated. anyone have any idea how this happens? >> Another >> >> problem is how is the encoding of the password. >> >> >> >> The ideal was to have access to the code that opensim uses to add >> avatars. >> >> but I got tired of looking and nothing. I thank you for your help. >> >> >> >> Greetings, >> >> >> >> Márcio Cardoso >> >> >> >> _______________________________________________ >> >> Opensim-dev mailing list >> >> _opensim-...@lists.berlios.de_ <mailto:Opensim-dev@lists.berlios.de> >> >> _https://lists.berlios.de/mailman/listinfo/opensim-dev_ >> >> >> >> >> > _______________________________________________ >> > Opensim-dev mailing list >> > _opensim-...@lists.berlios.de_ <mailto:Opensim-dev@lists.berlios.de> >> > _https://lists.berlios.de/mailman/listinfo/opensim-dev_ >> >> _______________________________________________ >> Opensim-dev mailing list >> _opensim-...@lists.berlios.de_ <mailto:Opensim-dev@lists.berlios.de> >> _https://lists.berlios.de/mailman/listinfo/opensim-dev_ > _______________________________________________ > Opensim-dev mailing list_ > __opensim-...@lists.berlios.de_ <mailto:Opensim-dev@lists.berlios.de>_ > __https://lists.berlios.de/mailman/listinfo/opensim-dev_ > > > _______________________________________________ > Opensim-dev mailing list_ > __opensim-...@lists.berlios.de_ <mailto:Opensim-dev@lists.berlios.de>_ > __https://lists.berlios.de/mailman/listinfo/opensim-dev_ > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev -- dr dirk husemann ---- virtual worlds research ---- ibm zurich research lab SL: dr scofield ---- drscofi...@xyzzyxyzzy.net ---- http://xyzzyxyzzy.net/ RL: h...@zurich.ibm.com - +41 44 724 8573 - http://www.zurich.ibm.com/~hud/ _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev