The Forum has been Updated
The code has been upgraded to the latest .NET core version. Please check instructions in the Community Announcements about migrating your account.
I am officially calling this a 1.0 release now. In the past month or so, there have been a couple dozen downloads of the MOD, and nobody has posted back yet with issues.
I'd like to get some other individuals to help me test this MOD. I've tested it once, but I want to ensure that everything works properly before I call it an official 1.0 release.
Password Salting Version: 1.0
Author: Bill Parrott (muzishun)
Forum Version: Snitz Forum 2000 v3.4.06
Tested Databases: MS Access 2000
Last Updated: 1/17/08
Download Link: Chimeric Dream, SnitzBitz
(From Wikipedia) "In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. A salt can also be used as a key in a cipher or other cryptographic algorithm. The key derivation function typically uses a hash function. Sometimes the initialization vector, a previously-generated value, is used as a salt."
This MOD helps make a site more secure by adding a randomly generated string to the end of users' passwords before they are encrypted. This ensures that even if someone gains access to the forum's database, even a brute force attempt to crack the passwords will be ineffective, due to the fact that a user's password cannot possibly be guessed (unless someone discovers the salt, of course).
Comments can be posted in this reply, but for support and bug reports, please visit the MOD Implementation forum here.<
Password Salting Version: 1.0
Author: Bill Parrott (muzishun)
Forum Version: Snitz Forum 2000 v3.4.06
Tested Databases: MS Access 2000
Last Updated: 1/17/08
Download Link: Chimeric Dream, SnitzBitz
(From Wikipedia) "In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. A salt can also be used as a key in a cipher or other cryptographic algorithm. The key derivation function typically uses a hash function. Sometimes the initialization vector, a previously-generated value, is used as a salt."
This MOD helps make a site more secure by adding a randomly generated string to the end of users' passwords before they are encrypted. This ensures that even if someone gains access to the forum's database, even a brute force attempt to crack the passwords will be ineffective, due to the fact that a user's password cannot possibly be guessed (unless someone discovers the salt, of course).
Comments can be posted in this reply, but for support and bug reports, please visit the MOD Implementation forum here.<
نوشته شده در
Will adding this MOD to a running site make existing passwords broken? While I understand the concept of salting the password, and while I agree that its a good thing, I don't want to make all my users re-enter their password so I can add this to an existing site... I'm not sure I'm going to get a good enough return for the effort.
Just thought I'd raise the issue.
<
Just thought I'd raise the issue.
<
نوشته شده در
Nope. I've got it coded so that when a user logs in, their password is checked both salted and unsalted. If the unsalted version matches the database, the DB is updated with the salted version of their password. This way, you should be able to install it seamlessly on a running forum.
Edit: This question already seems like it should be in the FAQ of the MOD readme. I have updated the zip files at both locations. I have a feeling that's a question a lot of people will want an answer to before they install the MOD.<
Edit: This question already seems like it should be in the FAQ of the MOD readme. I have updated the zip files at both locations. I have a feeling that's a question a lot of people will want an answer to before they install the MOD.<
نوشته شده در
Great initiative Bill! Now we just need a security expert to validate this salting method to see if it really increases security.<
نوشته شده در
If you check both salted and unsalted password then the user effectively has two passwords. One is probably a mess of ASCII possibly unusable if it includes any chars <32 (non-printable chars) but keep that in mind. It would make a faster brute force and the attacker can find the unsalted password and still get in even if the password is salted. You may want to add a boolean value to the db that recordes if the password is salted or not, or even a int value to record the version if you need to change the algorithm.<
نوشته شده در
The unsalted pass is only checked to see if the database has been updated yet. Basically, here's what happens:
1. The user tries to log in. 2. The forum salts their password and hashes it twice (once salted and once unsalted)
3. The forum checks the salted hash to see if it matches the hash in the database. 4. If yes, the user is logged in. 5. If no, the forum checks to see if the user's password in the database has been updated from the unsalted version
6. If the unsalted hash matches the db, the forum executes an UPDATE statement that puts the salted hash into the database in place of the unsalted one.
So basically, the unsalted password will no longer work after the user logs in once. And since the salt is not stored in the database, a hacker would have to actually gain access to your server to find out what it is, and at that point, you have bigger problems than database security.
Thanks for the comments! I have started having more time to work on some of the things I had going on in the background, so expect more stuff from me in the coming weeks/months.
<
1. The user tries to log in. 2. The forum salts their password and hashes it twice (once salted and once unsalted)
3. The forum checks the salted hash to see if it matches the hash in the database. 4. If yes, the user is logged in. 5. If no, the forum checks to see if the user's password in the database has been updated from the unsalted version
6. If the unsalted hash matches the db, the forum executes an UPDATE statement that puts the salted hash into the database in place of the unsalted one.
So basically, the unsalted password will no longer work after the user logs in once. And since the salt is not stored in the database, a hacker would have to actually gain access to your server to find out what it is, and at that point, you have bigger problems than database security.
Thanks for the comments! I have started having more time to work on some of the things I had going on in the background, so expect more stuff from me in the coming weeks/months.
<