2011/10/25, Jonathan Miller <[email protected]>: > At Climate Prediction dot Net we have just had an SQL injection incident > which lead (due to poor security on our part, not BOINC's) to user emails > and password hashes being obtained. > > Given that MD5 can be cracked relatively quickly, are there any plans to > move away from MD5 hashing of the password/email authentication for BOINC?
The hashing algorithm is irrelevant, because the BOINC server allows authenticating *using the hash*. The client requests the authenticator corresponding to an email+password by sending the password *hash*. Security-wise, you should pretend that BOINC is storing plaintext passwords in the database and that's what you got compromised. -- Nicolas _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
