ADC Salted passwords
Posted: 24 Jan 2008, 20:23
Ok, what are salted passwords and why should we use them ?
NMDC uses plain text passwords. This means the password is sent to the hub in simple plain text format. Like any chat. Like any banal simple text message you send.
How good is that? If nobody cares about your simple reg account then you can go ahead and tell youre passie to everyone they dont care anyway.
If you got a 8k hub and you worked really hard on it.. then some wannabe hacker could just sniff some text you send to hub. Hows that possible? Well, he could intercept some packages on their route and read them... Could see your password right away. Is that good? Don't know, depends if you like your users being redirect to hell and beyond.
What are salted passwords? Passwords are not being sent plane text. They are sent encrypted.
Found some people asking: "whats the use of that? I can sneak the encryption and sent it , I don't need the password anyway". Thats wrong.
Each time a registered client connects to some ADC hub, the hub sends some random data , lets note this data with X. The client concatenates the password with X , and encrypts it. The hub receives this, and sees if the password it stored + the X it sent, matches the data the client sends.
Anybody could very well get the X and the X+password hash. So what? They will be different each time the client connects. So you "hackers" can start sniffing and make a database for each hash the client send. Maybe you get lucky and the random data will be the same once in a while... So what? When you want to use it, the hub will send another one =)
There you go.. be happy with your ADC hub.. and dont worry that some wannabe would get your password by any sniffing...
[Additional info : http://en.wikipedia.org/wiki/Salt_%28cryptography%29 ]
NMDC uses plain text passwords. This means the password is sent to the hub in simple plain text format. Like any chat. Like any banal simple text message you send.
How good is that? If nobody cares about your simple reg account then you can go ahead and tell youre passie to everyone they dont care anyway.
If you got a 8k hub and you worked really hard on it.. then some wannabe hacker could just sniff some text you send to hub. Hows that possible? Well, he could intercept some packages on their route and read them... Could see your password right away. Is that good? Don't know, depends if you like your users being redirect to hell and beyond.
What are salted passwords? Passwords are not being sent plane text. They are sent encrypted.
Found some people asking: "whats the use of that? I can sneak the encryption and sent it , I don't need the password anyway". Thats wrong.
Each time a registered client connects to some ADC hub, the hub sends some random data , lets note this data with X. The client concatenates the password with X , and encrypts it. The hub receives this, and sees if the password it stored + the X it sent, matches the data the client sends.
Anybody could very well get the X and the X+password hash. So what? They will be different each time the client connects. So you "hackers" can start sniffing and make a database for each hash the client send. Maybe you get lucky and the random data will be the same once in a while... So what? When you want to use it, the hub will send another one =)
There you go.. be happy with your ADC hub.. and dont worry that some wannabe would get your password by any sniffing...
[Additional info : http://en.wikipedia.org/wiki/Salt_%28cryptography%29 ]