On Apr 3, 2010, at 12:27 PM, Joshua Paine wrote: > > * But using the same project code on all passwords means that it's > easier to build a custom rainbox table to attack at once all passwords > stored in a given repo.
Not so in this case. The stored has is computed as follows: SHA1( project-code + "/" + login + "/" + password ) This means that the password hash will always be unique (to an exceedingly high probability) even if the same password is used by two or more users on the same project, or by the same user on different projects. > > * The only plausible benefit of using the project code instead of a > random salt that I can think of is to make stored passwords non- > portable > across repos. (With salt and hash stored together, the lot could be > copied to a user in another repo with the same name and used.) But for > my use case this is a hinderance, not a benefit, and I can't think of > any situation in which it would actually help. Another (important) benefit of using the project code instead of random salt is that the client already knows the project code, and hence it does not need to do a preliminary round-trip to the server just to get the salt prior to encoding the users password whenever it does a push or pull. You cannot copy the hashed password between repositories. But Fossil still accepts unhashed passwords in the USER table. If the USER.PW field contains text that is not 40 characters in length, then that text is interpreted as an unhashed password and is hashed at run-time. So if you want to add a user to multiple repositories, you can simply write a script that inserts entries into the USER table of the various repositories with a cleartext password. Or, if you are writing scripts, your script can invoke "fossil user password LOGIN PASSWORD --repository REPOSITORY-FILENAME" which will cause the password to be inserted hashed instead of cleartext. > > So for improved utility (for certain uses, anyway) and slightly > improved > security, the project code in the hash should be replaced with a per- > row > random salt. > > -- > Joshua Paine > LetterBlock LLC > http://letterblock.com/ > Web applications built with joy. > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users D. Richard Hipp d...@hwaci.com _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users