Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Discussions (General)
 The Need for Seeded Passwords		  New Topic  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

work mule
Senior Member

USA
1358 Posts
Posted - 21 October 2002 :  14:11:23  Show Profile
I'm sure this is going to get overlooked in my other post, so I'm going to post it as it's own topic.

FACT:
Snitz is an open/public application. Anyone can download Snitz, open it up and see it uses SHA256. No secrets there.

FACT:
It is possible through XSS (Cross Site Scripting) or other means to capture another person's cookies.

PROBLEM:
If someone managed to get a hold of a user's encrypted password which was stored in their cookie, it wouldn't be difficult to compare the captured encrypted hash (being the password in this example) with a list of hashes generated from running the SHA256 function against a dictionary. Where there was a match, they would just have to cross-reference their hash with the original word/string to identify the password. Once they have the match, they know the password and can come to the site and login.

Seeing that many people use ordinary words as passwords, it's not an impractical way to figure out a user's password. That's why it's recommended to salt something like a session key or password or even go to the extreme and replace the password with a session key or token.

SOLUTION:
Either rely on the siteowner to set a generic salt for the entire site or add a field to the database which holds a unique salt for each user. Yes, the siteowner would have access to the salt and could still do this, but at least we'll add some protection against external threats.

It also comes down to a matter of educating users not to use simple passwords, but as a siteowner, it's a bit impractical to try and teach 1000+ users this concept.

BTW...before someone jumps on me for posting this, let me say that if you do research on authentication techniques and practices, this is pretty common knowledge. The people who would be prone to exploit something like this most likely already know. This is about educating people on how to protect their websites.

HuwR
Forum Admin

United Kingdom
20595 Posts
Posted - 21 October 2002 :  15:22:34  Show Profile  Visit HuwR's Homepage
That is why it is recommended that you use a combination of letters and numbers, it is then not possible to do what you suggest, well, not unless you want to spend a very long time.
Go to Top of Page

work mule
Senior Member

USA
1358 Posts
Posted - 21 October 2002 :  16:02:34  Show Profile
quote:
Originally posted by HuwR

That is why it is recommended that you use a combination of letters and numbers, it is then not possible to do what you suggest, well, not unless you want to spend a very long time.


You and I know to do that. Many people do not. I remember taking a look at the member tables for our sites and thought I was looking at a table of dictionary entries. What was sad was that some of the people who should have known better were the worst offenders.

That is why we could attempt to protect them from themselves, at least while they're using our sites. What they do outside of our site is up to them.
Edited by - work mule on 21 October 2002 16:03:51
Go to Top of Page

e3stone
Average Member

USA
885 Posts
Posted - 21 October 2002 :  17:01:05  Show Profile  Send e3stone an AOL message
Would it hurt performance any to use an encryption method that isn't one way? Use something like Blowfish that requires a key? That way the Admin could set a key and it would be close to impossible to bust a password. I'm sure this option was looked at, but what was the reasoning for one-way encryption? Just curious.
<-- Eric -->
Go to Top of Page

RichardKinser
Snitz Forums Admin

USA
16655 Posts
Posted - 21 October 2002 :  17:47:44  Show Profile
quote:
Originally posted by e3stone

what was the reasoning for one-way encryption? Just curious.
simplicity.
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts
Posted - 21 October 2002 :  19:49:54  Show Profile  Visit Gremlin's Homepage
We've gone over much of this ground before WM, I recall posting this in our earlier discussions on encryption; that there would be no harm in requiring a seed value to be added to the users config.asp, just a 4 digit number is all thats required. A default value is placed in config.asp and the setup checks to ensure the default value has been changed before allowing setup.asp to be completed.

Having said that the incidence level of Cookie Stealing has dropped dramatically with the latest versions of browsers implementing much better cookie control.
Kiwihosting.Net - The Forum Hosting Specialists
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.17 seconds. Powered By: Snitz Forums 2000 Version 3.4.07