Snitz™ Forums 2000
https://forum.snitz.com/forumTopic/Posts/66135?pagenum=1
04 November 2025, 21:41
Topic
muzishun
Password Salting - Updated 1-17-08
21 December 2007, 10:52
I am officially calling this a 1.0 release now. In the past month or so, there have been a couple dozen downloads of the MOD, and nobody has posted back yet with issues.
I'd like to get some other individuals to help me test this MOD. I've tested it once, but I want to ensure that everything works properly before I call it an official 1.0 release. Password SaltingVersion: 1.0 Author: Bill Parrott (muzishun) Forum Version: Snitz Forum 2000 v3.4.06 Tested Databases: MS Access 2000 Last Updated: 1/17/08 Download Link:Chimeric Dream, SnitzBitz (From Wikipedia) "In cryptography, a salt comprises random bits that are used as one of the inputs to a key derivation function. The other input is usually a password or passphrase. The output of the key derivation function is stored as the encrypted version of the password. A salt can also be used as a key in a cipher or other cryptographic algorithm. The key derivation function typically uses a hash function. Sometimes the initialization vector, a previously-generated value, is used as a salt."
This MOD helps make a site more secure by adding a randomly generated string to the end of users' passwords before they are encrypted. This ensures that even if someone gains access to the forum's database, even a brute force attempt to crack the passwords will be ineffective, due to the fact that a user's password cannot possibly be guessed (unless someone discovers the salt, of course).
Comments can be posted in this reply, but for support and bug reports, please visit the MOD Implementation forum here.<
Replies ...
AnonJr
21 December 2007, 11:15
Will adding this MOD to a running site make existing passwords broken? While I understand the concept of salting the password, and while I agree that its a good thing, I don't want to make all my users re-enter their password so I can add this to an existing site... I'm not sure I'm going to get a good enough return for the effort.
Just thought I'd raise the issue. <
muzishun
21 December 2007, 11:29
Nope. I've got it coded so that when a user logs in, their password is checked both salted and unsalted. If the unsalted version matches the database, the DB is updated with the salted version of their password. This way, you should be able to install it seamlessly on a running forum.
Edit: This question already seems like it should be in the FAQ of the MOD readme. I have updated the zip files at both locations. I have a feeling that's a question a lot of people will want an answer to before they install the MOD.<
MarcelG
22 December 2007, 02:25
Great initiative Bill! Now we just need a security expert to validate this salting method to see if it really increases security.<
phy1729
22 December 2007, 11:08
If you check both salted and unsalted password then the user effectively has two passwords. One is probably a mess of ASCII possibly unusable if it includes any chars <32 (non-printable chars) but keep that in mind. It would make a faster brute force and the attacker can find the unsalted password and still get in even if the password is salted. You may want to add a boolean value to the db that recordes if the password is salted or not, or even a int value to record the version if you need to change the algorithm.<
muzishun
22 December 2007, 12:16
The unsalted pass is only checked to see if the database has been updated yet. Basically, here's what happens:
1. The user tries to log in.
2. The forum salts their password and hashes it twice (once salted and once unsalted) 3. The forum checks the salted hash to see if it matches the hash in the database.
4. If yes, the user is logged in.
5. If no, the forum checks to see if the user's password in the database has been updated from the unsalted version 6. If the unsalted hash matches the db, the forum executes an UPDATE statement that puts the salted hash into the database in place of the unsalted one.
So basically, the unsalted password will no longer work after the user logs in once. And since the salt is not stored in the database, a hacker would have to actually gain access to your server to find out what it is, and at that point, you have bigger problems than database security.
Thanks for the comments! I have started having more time to work on some of the things I had going on in the background, so expect more stuff from me in the coming weeks/months. <
modifichicci
22 December 2007, 12:34
I cannot see properly your readme included, so i canot see changes..<
muzishun
22 December 2007, 12:37
What is happening to it? What browser are you opening it in?<
modifichicci
22 December 2007, 13:42
IE and FF I see a white box in instructions..<
modifichicci
22 December 2007, 13:44
ok that is a very interesting thing and I need a cup of coffe.. sorry<
muzishun
22 December 2007, 14:51
No problem. You got it working, then?<
modifichicci
22 December 2007, 15:28
I will try it in next days, I would only take a look to changes required that are not so hard at a first look<
muzishun
17 January 2008, 11:16
Updated the initial post. I've upped the version from 0.5b to 1.0, since there haven't been any bug reports in the 30 or so times the MOD has been downloaded and (I'm assuming) installed.<
HuwR
17 January 2008, 12:21
forgive my ignorance, but I fail to see how this increases the security, if I register and my password is password, when I log in my password will allways be password regardless of what you do to it, so a brute force attack will have exactly the same chance of cracking my password salted or not, it doesn't need to know what is stored in the db, that is irrelevant to a bruteforce attack<
AnonJr
17 January 2008, 12:36
Yeah, but with a salted password you can't run a rainbow table against a filched copy of the database.<
HuwR
17 January 2008, 13:01
Originally posted by AnonJr Yeah, but with a salted password you can't run a rainbow table against a filched copy of the database.
No, but a rainbow table is not technically a brute force attack either simply using a decent password in the first place will prevent anyone cracking it <
muzishun
17 January 2008, 13:13
I agree that using a decent password prevents people from cracking it. However, the question is how much you trust *all* your users to have a decent password. This MOD won't prevent someone from brute forcing a login, but if someone gains access to your database, they at least won't be able to brute force your passwords from there.<
AnonJr
17 January 2008, 13:13
Good luck enforcing that. I have a hard enough time explaining to the nurses that come to their computer training why they can't use "A1234567" as a password. (Yes, I really had to return the form and make them fill it out again.... and again a third time before they got the hint.)<
HuwR
17 January 2008, 13:25
you don't have to trust all your users, just the admins and moderators, knowing a users password just means you can make posts
enforcing a minimum length is easy and a very effective method since the longer the password the less likely there is to be a rainbow table for it.<
Shaggy
18 January 2008, 04:47
One of the first things I do with all my forums is enforce a minimum length on passwords as well as add a check for the password being the same as the username.
<
muzishun
18 January 2008, 09:15
Hmmm... I like those ideas. I smell another miniMOD coming on... <
Shaggy
18 January 2008, 09:45
I remember writing something for StephenD a couple of years back for enhancing password security (just a series of checks like the ones above); you should be able to dig it up with a search if you want it.
<
muzishun
18 January 2008, 10:01
If I find them, would you mind terribly if I tweaked (if necessary) them and packaged them up to put on SnitzBitz?<
Shaggy
18 January 2008, 10:11
Not at all, that's why I told you about it If you can't find it, let me know and I'll have a look for it.
<
Shaggy
21 January 2008, 11:42
Originally posted by ShaggyI remember writing something for StephenD a couple of years back for enhancing password security...
This is it. Over 3 years ago now so line numbers, etc. are probably way off.
<
muzishun
21 January 2008, 11:50
Thanks, Shaggy. I have the day off from work today, so I'll probably tackle that at some point in between cleaning my apartment and watching TV .<
AnonJr
21 January 2008, 12:51
Why not code while watching TV? I picked up this nifty laptop desk and its made it so much easier to kick back on the couch, watch a movie, and work on whatever. <
muzishun
21 January 2008, 13:00
Hmm.... I could go for that. It's a little pricey for me right now, but I'll add it to "The List". Thanks for the tip . Till then, I'll stick with coding at the coffee table in my living room.<
leesh695
04 March 2008, 20:24
Not sure if I am doing somthing totally wrong here, But in the pw_salt_setup.asp, it has this line.
Set f = fs.CreateTextFile("d:\websites\chimericdreamcom\test\snitz\inc_pwsalt.asp",true)
I assumed that was the path to your test forum.
I tried to change it to just inc_pwsalt.asp and i got this error.
Microsoft VBScript runtime error '800a0046'
Permission denied
/forum/forum/uploaded/pw_salt_setup.asp, line 5
Not sure why im getting it though because i put it in the file which my file attachment mod can make files in all the time.<
muzishun
04 March 2008, 21:45
Oh wow. I can't believe I didn't catch that before. You need to put in the full physical path to your forum directory. For example, if your forum is in the wwwroot directory that many Windows machines use, you'll likely need something like this:
c:\inetpub\wwwroot\yoursite\forum\inc_pwsalt.asp
If you aren't sure what the physical path to your forum directory is, you can use the whereami.asp tool in tools.zip (in the base install of Snitz) or email your host.<
leesh695
04 March 2008, 23:28
Thanks,
I used the whereami.asp and it worked fine<
Shaggy
05 March 2008, 04:03
Using server.mappath would be a much better solution to this.
<
muzishun
05 March 2008, 09:09
Good point. I'm planning to update the readme for this MOD this afternoon, so I'll change that line to use server.mapppath when I do.<
leesh695
07 March 2008, 14:47
I got this when I uploaded the new files.
Microsoft VBScript compilation error '800a0414'
Anyideas on this? I would really like to implent this mod I cant seem to work it out and I dont want to change to much incase I destroy everyones password <
AnonJr
10 March 2008, 13:54
Just a random thought, but what version of VBScript is running on your server? I ask ony because its odd that no one else has had this issue before...<
leesh695
10 March 2008, 15:52
ASP.Net Runtime Version: 2.0 IIS Version: IIS 6.0
If your asking about somthing else can you tell me how to find out?<
AnonJr
10 March 2008, 16:39
Snitz uses Classic ASP, not .NET... I was looking for the version of VBScript your server had installed. One way to find out:
*All I've got handy is a highly modified version of Snitz, so I can only give you an approximation of what you'll see and what you should add...
Look for a code block that looks something like*:
Code:
for each key in Request.ServerVariables Response.Write "<tr>" & _ "<td class=""putc"" valign=""top""><b>" & key & "</b></td>" & _ "<td class=""putc"" style=""font-family:courier"">" if Request.ServerVariables(key) = "" then Response.Write " " else Response.Write Request.Servervariables(key) end if Response.Write "</td>" & _ "</tr>" next
After that and before this:
Code:
if blnDisplay = True then '## Code below added to show general ADO/Database Information Response.Write "<tr>" & _ "<td class=""hcc hfc c"" colspan=""2""><b>Database Connection Properties</b></td>" & _ "</tr>" for each item in my_Conn.Properties Response.Write "<tr>" & _ "<td class=""putc"" valign=""top""><b>" & item.name & "</b></td>" & _ "<td class=""putc"" style=""font-family:courier"">" if item.value = "" then Response.Write " " else Response.Write item.value end if Response.Write "</td>" & _ "</tr>" next '## Code above added to show general ADO/Database Information end if
for each key in Request.ServerVariables Response.Write "<tr>" & _ "<td class=""putc"" valign=""top""><b>" & key & "</b></td>" & _ "<td class=""putc"" style=""font-family:courier"">" if Request.ServerVariables(key) = "" then Response.Write " " else Response.Write Request.Servervariables(key) end if Response.Write "</td>" & _ "</tr>" next
'Write out the VBScript Version Response.Write("<tr class=""putc"">" & vbNewLine & _ "<td valign=""top"" class=""l""><b>Scripting Engine:</b></td>" & _ "<td class=""putc l"" style=""font-family:courier"">" & _ ScriptEngine & " v" & ScriptEngineMajorVersion & "." & ScriptEngineMinorVersion & " build " & ScriptEngineBuildVersion & _ "</td>" & vbNewLine & "</tr>" & vbNewLine) if blnDisplay = True then '## Code below added to show general ADO/Database Information Response.Write "<tr>" & _ "<td class=""hcc hfc c"" colspan=""2""><b>Database Connection Properties</b></td>" & _ "</tr>" for each item in my_Conn.Properties Response.Write "<tr>" & _ "<td class=""putc"" valign=""top""><b>" & item.name & "</b></td>" & _ "<td class=""putc"" style=""font-family:courier"">" if item.value = "" then Response.Write " " else Response.Write item.value end if Response.Write "</td>" & _ "</tr>" next '## Code above added to show general ADO/Database Information end if
You'll probably need to adjust as I've CSS'd my forum so its not quite set up for a vanilla install.
This adds an extra entry to the "Server Information" option on the Admin. page.
Having said all that, if you're using IIS 6, it shouldn't be an issue now that I think about it...<
muzishun
10 March 2008, 17:03
Sorry for the lack of responses on this lately. I genuinely am hoping to get some work done on this in the very near future. I *was* having some spare time at work lately, but that is totally gone, and my partner and I are up to our eyeballs in client projects right now. I'll try to take a look in the next couple of days and see if I can address whatever's going on.<
richfed
15 March 2008, 12:59
Originally posted by leesh695 Anyideas on this? I would really like to implent this mod I cant seem to work it out and I dont want to change to much incase I destroy everyones password
I am getting that same error ... SQL Server<
richfed
17 March 2008, 06:10
THIS is why I would like, very much, to install this MOD: http://forum.snitz.com/forum/topic.asp?whichpage=0.6&TOPIC_ID=66574#376221<
AnonJr
17 March 2008, 12:27
Password salting doesn't prevent someone from guessing the password. It just makes it harder to use a rainbow table or other form of brute force against the hash.<
phy1729
23 March 2008, 10:48
To those having the error 800a0414: This says to try
once inc_pwsalt.asp will be created in a dir with permission, it is possible to move it to forum dir? No more file scripting needed on it?
This is because some servers have limited upload permission ..<
muzishun
24 March 2008, 14:01
I've generally created the inc_pwsalt.asp in the same directory as my forum, but once you have created it, you may move it around your server as you please.<
modifichicci
24 March 2008, 14:03
thanks i think i will try it in next weeks<
Carefree
12 June 2008, 11:54
Pop_Delete.asp wasn't updated to check against the salted password - it will not allow me to delete topics, etc.; losing the basic controls pretty much renders the forum useless. All the fancy mods in the world won't keep a forum going if you cannot edit/delete topics. I have logged out, deleted temp files, etc.; & logged back in again. That much works - but the basic controls for the board do not.
No Permissions to Delete Topic
Go Back to Re-Authenticate
Close Window
<
richfed
12 June 2008, 18:23
See here, Carefree ... I had a similar experience.<
<
<
.<
<
<