[jdev] plaintext passwords hack

Mihael Pranjić tux at limun.org
Wed Dec 16 19:12:53 CST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2009-12-17 01:43, Kurt Zeilenga wrote:
> 
> On Dec 16, 2009, at 4:17 PM, Tobias Markmann wrote:
> 
>> On 17.12.09 00:56, Peter Saint-Andre wrote:
>>> And even if you do have hashed passwords, if someone breaks into your
>>> machine then it's not that much work to de-hash them all. It just looks
>>> scarier if they're in cleartext to start with.
>>>
>> That more or less depends on what you store in your authentication
>> database. Considering SCRAM for example which has been designed to
>> address the issue of clear text password ([1] Point 3) you'd ideally
>> store the SaltedPassword, the salt and the iteration count for your
>> users in the authentication database.
>> Since SaltedPassword is generated like using Hi(hmac_sha1, password,
>> salt, iteration_count) even if you had the database with all the
>> SaltedPasswords you'd need brute force to find out the clear text
>> passwords which can take quite some time considering the variable
>> iteration count.
> 
> Computing power on the black market is quite cheap.
> 
> -- Kurt
For a start you should really have you server very well secured. Very
restriced access to anything, not letting mysql server or whatever to be
accessed by anything else than localhost. No root ssh login, only
certificate login, and so on and so on... So I think keeping anyone from
even near the database seems a better solution for now.
Also, since many users use easy passwords cracking hashes is not a huge
problem. I remember some projects which were focused on pre-cracking
hashes, but this goes back to when I used IRC so I dont remember that
well what it was about. I think they were collecting windows password
hashes and cracking them so if they found another hash that is the same
they would already have the password. With distributed computer systems
this does not take a long time and it would be easy to get any jabber
password. So really, focus on not giving the database away, however that
can happen.
A more secure way is keeping the database encrypted as a whole, which
would mean server administrators have to decrypt the database on server
startup which again is very bad on server crashes and so on... Again,
while its de-crypted someone could access the plain database.

Securing a server in general seems like a very sane idea IMHO


Mihael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksphY8ACgkQr+feV2OERJ59WgCgqP23+UEeypZGbFpTYHBH4h5d
D9EAoM+z4QK+yWYQXe7hhoVLWAIjAFDW
=Mb3f
-----END PGP SIGNATURE-----

More information about the JDev mailing list