prlucas / openhelbreath

Automatically exported from code.google.com/p/openhelbreath
0 stars 1 forks source link

Testing - MySQL storing plain passwords #1

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
asdfasdfasdf

testing

Original issue reported on code.google.com by Drajwer@gmail.com on 5 Oct 2009 at 10:36

GoogleCodeExporter commented 9 years ago
ServerSide
- Database password field should be changed from varchar(10) to varchar(32) 

LogServer
- Quick Sample:

import md5
hash = md5.new()
hash.update("PASSWORD STRING")
value = hash.hexdigest()

- Password in SQL database is stored as MD5 hex hash and compared with md5 hex 
hash
from user packet

Client
- User enters password and clicks submit to send packet
- Before packet is sent client converts password to MD5 hash
- Raw Password will never arrive to server

Notes:
- Password related packets will be larger due to password length (previously 
buffer
size 10, new size is 32)
- PHP script needs to be developed for when user requires password reset since 
Admin
will not be able to recover the password for user.  Should be easy.  Email to 
user.

A client framework is needed before we can work on this.  If we are going to 
use the
HB client source already out there, just upload it to SVN so we can get working 
on it.

Original comment by SirHypnotoad@gmail.com on 6 Oct 2009 at 12:30

GoogleCodeExporter commented 9 years ago
Good news (is in my spare time - some time ago) I did an SHA1 encryption for 
client:

#include "SHA1.h" // The CSHA1 class

add variables in CGame::bSendCommand:
CSHA1 sha1;
char szReport[1024];    

code under case MSGID_REQUEST_LOGIN: to replace password code:

szReport[0] = 0;

sha1.Reset();
sha1.Update((unsigned char *)m_cAccountPassword, strlen(m_cAccountPassword));
sha1.Final();

sha1.ReportHash(szReport, CSHA1::REPORT_HEX);

memcpy(cTxt, szReport, 40);
memcpy(cp, cTxt, 40); 
cp += 40;

// a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
//"a94a8fe5ccb1 9b a6 1c 4c 08 73 d3 91 e9 87 98 2f bb d3"
//"64 0A B2 BA E0 7B ED C4 C1 63 F6 79 A7 46 F7 AB 7F B5 D1 FA"

Now what do you recommend: SHA1 or MD5 or other?

Original comment by SirHypnotoad@gmail.com on 6 Oct 2009 at 1:13

GoogleCodeExporter commented 9 years ago
Options are:
md5(), sha1(), sha224(), sha256(), sha384(), and sha512()

import hashlib
print hashlib.sha1("test password").hexdigest()

md5
0cc175b9c0f1b6a831c399e269772661

sha1
86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

sha224
abd37534c7d9a2efb9465de931cd7055ffdb8879563ae98078d6d6d5

sha256
ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

sha384
54a59b9f22b0b80880d8427e548b7c23abd873486e1f035dce9cd697e85175033caa88e6d57bc35e
fae0b5afd3145f31

sha512
1f40fc92da241694750979ee6cf582f2d5d7d28e18335de05abc54d0560e0f5302860c652bf08d56
0252aa5e74210546f369fbbbce8c12cfc7957b2652fe9a75

I'd go with SHA1

Original comment by SirHypnotoad@gmail.com on 7 Oct 2009 at 10:47

GoogleCodeExporter commented 9 years ago
Yeah, SHA1 > MD5. Sha512 is strongest hashing algorithm atm (if Im right). 
So... SHA1 ;)

Original comment by Drajwer@gmail.com on 8 Oct 2009 at 12:01

GoogleCodeExporter commented 9 years ago
Done

Original comment by SirHypnotoad@gmail.com on 12 Oct 2009 at 8:39

GoogleCodeExporter commented 9 years ago
fix removed. issue open again

Original comment by SirHypnotoad@gmail.com on 17 Oct 2009 at 3:46

GoogleCodeExporter commented 9 years ago
"- Before packet is sent client converts password to MD5 hash
- Raw Password will never arrive to server"

Oh, really?
That makes your MD5 encryption utterly useless. OK, maybe not useless, but it 
defeats
the main purpose of MD5-ing the passwords.

Original comment by elim...@gmail.com on 28 Oct 2009 at 9:07

GoogleCodeExporter commented 9 years ago
I suggest this:
 1. Server generates a random text string, take the MD5 sum and send to Client (token)
 2. Client MD5 sum the password, concatenate with "token" and MD5 sum them.
 3. Client sends the result to server.
 4. Server makes the same with token and db hash, then compare.

 PD: Sorry for my poor english

Original comment by drazz.rulez@gmail.com on 29 Oct 2009 at 9:58

GoogleCodeExporter commented 9 years ago
Maybe I don't understand you Cleroth, but whats wrong with sending Hashed 
password
from client instead of plain? Please explain it further.

Original comment by Drajwer@gmail.com on 5 Nov 2009 at 11:03

GoogleCodeExporter commented 9 years ago
@Drajwer:
"- Password in SQL database is stored as MD5 hex hash and compared with md5 hex 
hash
from user packet"

This. If I gain access to your DB, I now have everyone's 'password', since I 
don't
need the password, but just the hash. If you really want the client to send a 
MD5'd
password to server, then you should MD5 it again to save it on the DB.

Original comment by elim...@gmail.com on 6 Nov 2009 at 8:38