The project is open source, no matter what you use as a salt, if it can be obtained from the DB, it is useless.
jm7 |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Daniel Lombraña González <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |BOINC Developers Mailing List <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |10/25/2011 07:59 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [boinc_dev] BOINC security and MD5 | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |<[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| Hi, What about using a Salt<http://en.wikipedia.org/wiki/Salt_%28cryptography%29>which is a different unique string for each user (UTC time for the creation of the user) + SHA2? This would prevent to access different projects with the password, as each user will have a different Salt in each project. Regards, Daniel On Tue, Oct 25, 2011 at 13:05, Jonathan Miller < [email protected]> wrote: > At Climate Prediction dot Net we have just had an SQL injection incident > which lead (due to poor security on our part, not BOINC's) to user emails > and password hashes being obtained. > > Given that MD5 can be cracked relatively quickly, are there any plans to > move away from MD5 hashing of the password/email authentication for BOINC? > > The PHP manual recommends against using MD5 because it is no longer > considered strong enough. > http://us2.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash > > We have gone to some lengths to notify our users of this incident, and > we've had quite a few responses from volunteers who have used the same > email/password combination on other BOINC projects and websites. > > This causes me some concern because, given that BOINC is open source, it is > trivially easy for a cracker to determine the function that writes the hash > to the database, and note how the hash is constructed by appending the email > address to the password. > > The attackers on our site virtually always grabbed the email address and > the password hash in the same query, so the crackers have half the hash's > input (the email address) only have to guess the password part; the fact > that the password hash incorporates the email address does not really add > any security (other than preventing simple searches on sites such as > http://passcracking.com/ ) > > What are your thoughts and/or plans on this issue? > > Jonathan Miller > System Administrator > Climate Prediction dot Net, University of Oxford > _______________________________________________ > boinc_dev mailing list > [email protected] > http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev > To unsubscribe, visit the above URL and > (near bottom of page) enter your email address. > -- ·························································································································································· http://github.com/teleyinex http://www.flickr.com/photos/teleyinex ·························································································································································· Por favor, NO utilice formatos de archivo propietarios para el intercambio de documentos, como DOC y XLS, sino PDF, HTML, RTF, TXT, CSV o cualquier otro que no obligue a utilizar un programa de un fabricante concreto para tratar la información contenida en él. ·························································································································································· _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
