It's been so long since I used BAM, what impact of changing passwords have on retired projects with regards to stats lining up? My brain has been eaten by teaching all day, so disregard if this is one of those stupid questions I always tell my students to ask.
On Tue, Oct 25, 2011 at 9:29 PM, <[email protected]> wrote: > BAM requires all BOINC passwords to be the same. I am not certain about > Grid Republic. Conversely, BAM makes it relatively simple to change all the > passwords at once. > > jm7 > > > |------------> > | From: | > |------------> > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |Jonathan Miller <[email protected]> > | > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | To: | > |------------> > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |BOINC Developers Mailing List <[email protected]> > | > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Date: | > |------------> > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |10/25/2011 07:06 AM > | > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Subject: | > |------------> > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |[boinc_dev] BOINC security and MD5 > | > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |------------> > | Sent by: | > |------------> > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > |<[email protected]> > | > > > >--------------------------------------------------------------------------------------------------------------------------------------------------| > > > > > > At Climate Prediction dot Net we have just had an SQL injection incident > which lead (due to poor security on our part, not BOINC's) to user emails > and password hashes being obtained. > > Given that MD5 can be cracked relatively quickly, are there any plans to > move away from MD5 hashing of the password/email authentication for BOINC? > > The PHP manual recommends against using MD5 because it is no longer > considered strong enough. > http://us2.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash > > We have gone to some lengths to notify our users of this incident, and > we've had quite a few responses from volunteers who have used the same > email/password combination on other BOINC projects and websites. > > This causes me some concern because, given that BOINC is open source, it is > trivially easy for a cracker to determine the function that writes the hash > to the database, and note how the hash is constructed by appending the > email address to the password. > > The attackers on our site virtually always grabbed the email address and > the password hash in the same query, so the crackers have half the hash's > input (the email address) only have to guess the password part; the fact > that the password hash incorporates the email address does not really add > any security (other than preventing simple searches on sites such as > http://passcracking.com/ ) > > What are your thoughts and/or plans on this issue? > > Jonathan Miller > System Administrator > Climate Prediction dot Net, University of Oxford > _______________________________________________ > boinc_dev mailing list > [email protected] > http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev > To unsubscribe, visit the above URL and > (near bottom of page) enter your email address. > > > > > _______________________________________________ > boinc_dev mailing list > [email protected] > http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev > To unsubscribe, visit the above URL and > (near bottom of page) enter your email address. > -- ~Kathryn _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
