I have changed that after I discovered it. In trunk, it now uses a random salt.
Melanie Impalah Shenzhou wrote: > This comes from UserManagerBase.AddUser (0.6.6): > > string md5PasswdHash = Util.Md5Hash(Util.Md5Hash(password) + ":" + > String.Empty); > > The salt should be where String.Empty is. > > I think it doesn't change in the most recent versions, so the "create user" > method of the console (both standalone and ugaim) are unsecure by default. > > > Anyway, I agree with Melanie and Adam that the salt is needed for improving > security, if not a random salt every time you create an user, at least a > long and secret unique salt. > > Greetings > > > > 2009/10/16 Frisby, Adam <a...@deepthink.com.au> > >> +1 to Melanie, that code is *not* secure. It is salted with a ":" but >> that's a fixed known salt. >> >> This is what I suggest: >> >> $passwordSalt = md5(time() . utime() . mt_rand(0,mt_getrandmax())); // or >> any other good random source >> $passwordHash = md5(md5($password) . ':' . $passwordSalt); >> >> $passwordSalt should be unique among your database (very likely with the >> above code); if there are duplicates, then it allows dictionary attacks to >> be done, the more duplicates, the more effective it is. >> >> Adam >> >> > -----Original Message----- >> > From: opensim-dev-boun...@lists.berlios.de [mailto:opensim-dev- >> > boun...@lists.berlios.de] On Behalf Of Melanie >> > Sent: Thursday, 15 October 2009 4:14 PM >> > To: opensim-dev@lists.berlios.de >> > Subject: Re: [Opensim-dev] open sim UUID and Passwordhash >> > >> > Please don't use that code. It creates unsalted hashes, which are >> > not secure. >> > The "" should be a ranndom salt, stored in the passwordSalt field in >> > the DB. If that is blank, you're running a very insecure system >> > >> > >> > Melanie >> > >> > >> > Rich White wrote: >> > > here is the PHP code - $password_hash = md5(md5($password) . ":" >> > .""); >> > > >> > > an md5 hash of an md5 hash >> > > >> > > ===== >> > > >> > > 2009/10/15 Márcio Cardoso <marciomai...@gmail.com>: >> > >> Good night, >> > >> >> > >> will be possible that someone could help me with 2 problems I have? >> > I'm >> > >> trying to create a stored procedure in mysql to add users, but do >> > not know >> > >> how UUID is generated. anyone have any idea how this happens? >> > Another >> > >> problem is how is the encoding of the password. >> > >> >> > >> The ideal was to have access to the code that opensim uses to add >> > avatars. >> > >> but I got tired of looking and nothing. I thank you for your help. >> > >> >> > >> Greetings, >> > >> >> > >> Márcio Cardoso >> > >> >> > >> _______________________________________________ >> > >> Opensim-dev mailing list >> > >> Opensim-dev@lists.berlios.de >> > >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> > >> >> > >> >> > > _______________________________________________ >> > > Opensim-dev mailing list >> > > Opensim-dev@lists.berlios.de >> > > https://lists.berlios.de/mailman/listinfo/opensim-dev >> > >> > _______________________________________________ >> > Opensim-dev mailing list >> > Opensim-dev@lists.berlios.de >> > https://lists.berlios.de/mailman/listinfo/opensim-dev >> _______________________________________________ >> Opensim-dev mailing list >> Opensim-dev@lists.berlios.de >> https://lists.berlios.de/mailman/listinfo/opensim-dev >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opensim-dev mailing list > Opensim-dev@lists.berlios.de > https://lists.berlios.de/mailman/listinfo/opensim-dev _______________________________________________ Opensim-dev mailing list Opensim-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/opensim-dev