Open GoogleCodeExporter opened 9 years ago
btw, I'd suggest that the server uses a salt loaded from a file (that is not in
the repo) to generate the hash (otherwise it might be too easy to make a
rainbow table for all possible IPs for every day, using some VPU)
that and/or repeated hashing (1000 times at least, considering how fast hashes
and therefore rainbow tables can be generated on modern hardware)
Original comment by sheepyluva
on 27 Jan 2014 at 6:06
Seems reasonable. Multiple hash loops reasonable too, although presumably in
conjunction w/ that since a rainbow would still be pretty easy then.
Presumably the salt would consist of the secret + daily rotating part, then, to
ensure shifting salt.
Original comment by kyberneticist@gmail.com
on 27 Jan 2014 at 6:20
Daily salt in repo? Wat??
My proposition: salt is got from /dev/urandom (dunno, maybe 16 bytes?), ip +
salt hashed, result is cut to... let's say 16-20 digits. That's it.
Original comment by unC0Rr
on 28 Jan 2014 at 7:42
Sure, why not. Fetching salt once a day from /dev/urandom is I guess a wee bit
harder to go after, although it isn't like anyone out there would be trying to
guess the secret part of a salt.
Both prob have about same effectiveness, although
"2014-01-29"+"somesecret129047108915y07wef781gut4y1gy" stored in config has
advantage of skipping that once a day dev read. Maybe a bit simpler to
implement too.
*shrug*
Original comment by kyberneticist@gmail.com
on 29 Jan 2014 at 8:31
Already reading /dev/urandom for authentication, and that really is 1 function
call, so isn't a problem at all
Original comment by unC0Rr
on 30 Jan 2014 at 5:18
Original issue reported on code.google.com by
sheepyluva
on 24 Jan 2014 at 5:03