Did the attackers get the Authenticator for anybody? These are permanent passwords.
The password is not part of the CPID, and therefore there is no impact. The pain comes when you change email addresses. jm7 |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Kathryn Marks <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |<[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Cc: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Jonathan Miller <[email protected]>, BOINC Developers Mailing List <[email protected]>, <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |10/25/2011 08:33 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Re: [boinc_dev] BOINC security and MD5 | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |<[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| It's been so long since I used BAM, what impact of changing passwords have on retired projects with regards to stats lining up? My brain has been eaten by teaching all day, so disregard if this is one of those stupid questions I always tell my students to ask. On Tue, Oct 25, 2011 at 9:29 PM, <[email protected]> wrote: BAM requires all BOINC passwords to be the same. I am not certain about Grid Republic. Conversely, BAM makes it relatively simple to change all the passwords at once. jm7 |------------> | From: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |Jonathan Miller <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | To: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |BOINC Developers Mailing List <[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Date: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |10/25/2011 07:06 AM | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Subject: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |[boinc_dev] BOINC security and MD5 | >--------------------------------------------------------------------------------------------------------------------------------------------------| |------------> | Sent by: | |------------> >--------------------------------------------------------------------------------------------------------------------------------------------------| |<[email protected]> | >--------------------------------------------------------------------------------------------------------------------------------------------------| At Climate Prediction dot Net we have just had an SQL injection incident which lead (due to poor security on our part, not BOINC's) to user emails and password hashes being obtained. Given that MD5 can be cracked relatively quickly, are there any plans to move away from MD5 hashing of the password/email authentication for BOINC? The PHP manual recommends against using MD5 because it is no longer considered strong enough. http://us2.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash We have gone to some lengths to notify our users of this incident, and we've had quite a few responses from volunteers who have used the same email/password combination on other BOINC projects and websites. This causes me some concern because, given that BOINC is open source, it is trivially easy for a cracker to determine the function that writes the hash to the database, and note how the hash is constructed by appending the email address to the password. The attackers on our site virtually always grabbed the email address and the password hash in the same query, so the crackers have half the hash's input (the email address) only have to guess the password part; the fact that the password hash incorporates the email address does not really add any security (other than preventing simple searches on sites such as http://passcracking.com/ ) What are your thoughts and/or plans on this issue? Jonathan Miller System Administrator Climate Prediction dot Net, University of Oxford _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address. _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address. -- ~Kathryn _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
