| Author |
 Topic  |
|
muzishun
Senior Member
United States
1079 Posts |
 Posted - 21 December 2007 : 10:52:28
|
I am officially calling this a 1.0 release now. In the past month or so, there have been a couple dozen downloads of the MOD, and nobody has posted back yet with issues.
I'd like to get some other individuals to help me test this MOD. I've tested it once, but I want to ensure that everything works properly before I call it an official 1.0 release.
Password Salting
Version: 1.0
Author: Bill Parrott (muzishun)
Forum Version: Snitz Forum 2000 v3.4.06
Tested Databases: MS Access 2000
Last Updated: 1/17/08
Download Link: Chimeric Dream, SnitzBitz
(From Wikipedia) "In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. A salt can also be used as a key in a cipher or other cryptographic algorithm. The key derivation function typically uses a hash function. Sometimes the initialization vector, a previously-generated value, is used as a salt."
This MOD helps make a site more secure by adding a randomly generated string to the end of users' passwords before they are encrypted. This ensures that even if someone gains access to the forum's database, even a brute force attempt to crack the passwords will be ineffective, due to the fact that a user's password cannot possibly be guessed (unless someone discovers the salt, of course).
Comments can be posted in this reply, but for support and bug reports, please visit the MOD Implementation forum here.< |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
Edited by - muzishun on 17 January 2008 11:15:58 |
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 21 December 2007 : 11:15:58
|
Will adding this MOD to a running site make existing passwords broken? While I understand the concept of salting the password, and while I agree that its a good thing, I don't want to make all my users re-enter their password so I can add this to an existing site... I'm not sure I'm going to get a good enough return for the effort.
Just thought I'd raise the issue.  < |
 |
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 21 December 2007 : 11:29:06
|
Nope. I've got it coded so that when a user logs in, their password is checked both salted and unsalted. If the unsalted version matches the database, the DB is updated with the salted version of their password. This way, you should be able to install it seamlessly on a running forum.
Edit: This question already seems like it should be in the FAQ of the MOD readme. I have updated the zip files at both locations. I have a feeling that's a question a lot of people will want an answer to before they install the MOD.< |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
Edited by - muzishun on 21 December 2007 11:33:55 |
|
|
|
MarcelG
Retired Support Moderator
Netherlands
2625 Posts |
Posted - 22 December 2007 : 02:25:11
|
| Great initiative Bill! Now we just need a security expert to validate this salting method to see if it really increases security.< |
portfolio - linkshrinker - oxle - twitter |
|
|
|
phy1729
Average Member
USA
589 Posts |
Posted - 22 December 2007 : 11:08:20
|
| If you check both salted and unsalted password then the user effectively has two passwords. One is probably a mess of ASCII possibly unusable if it includes any chars <32 (non-printable chars) but keep that in mind. It would make a faster brute force and the attacker can find the unsalted password and still get in even if the password is salted. You may want to add a boolean value to the db that recordes if the password is salted or not, or even a int value to record the version if you need to change the algorithm.< |
|
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 22 December 2007 : 12:16:49
|
The unsalted pass is only checked to see if the database has been updated yet. Basically, here's what happens:
1. The user tries to log in.
2. The forum salts their password and hashes it twice (once salted and once unsalted)
3. The forum checks the salted hash to see if it matches the hash in the database.
4. If yes, the user is logged in.
5. If no, the forum checks to see if the user's password in the database has been updated from the unsalted version
6. If the unsalted hash matches the db, the forum executes an UPDATE statement that puts the salted hash into the database in place of the unsalted one.
So basically, the unsalted password will no longer work after the user logs in once. And since the salt is not stored in the database, a hacker would have to actually gain access to your server to find out what it is, and at that point, you have bigger problems than database security.
Thanks for the comments! I have started having more time to work on some of the things I had going on in the background, so expect more stuff from me in the coming weeks/months.  < |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
Edited by - muzishun on 22 December 2007 12:17:43 |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 22 December 2007 : 12:37:58
|
| What is happening to it? What browser are you opening it in?< |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 22 December 2007 : 14:51:40
|
| No problem. You got it working, then?< |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
modifichicci
Average Member
Italy
787 Posts |
|
|
muzishun
Senior Member
United States
1079 Posts |
Posted - 17 January 2008 : 11:16:42
|
| Updated the initial post. I've upped the version from 0.5b to 1.0, since there haven't been any bug reports in the 30 or so times the MOD has been downloaded and (I'm assuming) installed.< |
Bill Parrott
Senior Web Programmer, University of Kansas
Co-Owner and Code Monkey, Eternal Second Designs (www.eternalsecond.com)
Personal Website (www.chimericdream.com) |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 17 January 2008 : 12:21:13
|
| forgive my ignorance, but I fail to see how this increases the security, if I register and my password is password, when I log in my password will allways be password regardless of what you do to it, so a brute force attack will have exactly the same chance of cracking my password salted or not, it doesn't need to know what is stored in the db, that is irrelevant to a bruteforce attack< |
|
|
|
AnonJr
Moderator
United States
5768 Posts |
Posted - 17 January 2008 : 12:36:36
|
| Yeah, but with a salted password you can't run a rainbow table against a filched copy of the database.< |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 17 January 2008 : 13:01:07
|
quote:
Originally posted by AnonJr
Yeah, but with a salted password you can't run a rainbow table against a filched copy of the database.
No, but a rainbow table is not technically a brute force attack either
simply using a decent password in the first place will prevent anyone cracking it < |
|
|
|
Topic |
|
Password Salting - Updated 1-17-08
