On Apr 3, 2010, at 12:27 PM, Joshua Paine wrote:
>
> * But using the same project code on all passwords means that it's
> easier to build a custom rainbox table to attack at once all passwords
> stored in a given repo.
Not so in this case. The stored has is computed as follows:
SHA1( project-code + "/" + login + "/" + password )
This means that the password hash will always be unique (to an
exceedingly high probability) even if the same password is used by two
or more users on the same project, or by the same user on different
projects.
>
> * The only plausible benefit of using the project code instead of a
> random salt that I can think of is to make stored passwords non-
> portable
> across repos. (With salt and hash stored together, the lot could be
> copied to a user in another repo with the same name and used.) But for
> my use case this is a hinderance, not a benefit, and I can't think of
> any situation in which it would actually help.
Another (important) benefit of using the project code instead of
random salt is that the client already knows the project code, and
hence it does not need to do a preliminary round-trip to the server
just to get the salt prior to encoding the users password whenever it
does a push or pull.
You cannot copy the hashed password between repositories. But Fossil
still accepts unhashed passwords in the USER table. If the USER.PW
field contains text that is not 40 characters in length, then that
text is interpreted as an unhashed password and is hashed at run-time.
So if you want to add a user to multiple repositories, you can simply
write a script that inserts entries into the USER table of the various
repositories with a cleartext password.
Or, if you are writing scripts, your script can invoke "fossil user
password LOGIN PASSWORD --repository REPOSITORY-FILENAME" which will
cause the password to be inserted hashed instead of cleartext.
>
> So for improved utility (for certain uses, anyway) and slightly
> improved
> security, the project code in the hash should be replaced with a per-
> row
> random salt.
>
> --
> Joshua Paine
> LetterBlock LLC
> http://letterblock.com/
> Web applications built with joy.
> _______________________________________________
> fossil-users mailing list
> fossil-users@lists.fossil-scm.org
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
D. Richard Hipp
d...@hwaci.com
_______________________________________________
fossil-users mailing list
fossil-users@lists.fossil-scm.org
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
