Page 1 of 1

ADC Salted passwords

Posted: 24 Jan 2008, 20:23
by Pietry
Ok, what are salted passwords and why should we use them ?
NMDC uses plain text passwords. This means the password is sent to the hub in simple plain text format. Like any chat. Like any banal simple text message you send.
How good is that? If nobody cares about your simple reg account then you can go ahead and tell youre passie to everyone they dont care anyway.
If you got a 8k hub and you worked really hard on it.. then some wannabe hacker could just sniff some text you send to hub. Hows that possible? Well, he could intercept some packages on their route and read them... Could see your password right away. Is that good? Don't know, depends if you like your users being redirect to hell and beyond.
What are salted passwords? Passwords are not being sent plane text. They are sent encrypted.
Found some people asking: "whats the use of that? I can sneak the encryption and sent it , I don't need the password anyway". Thats wrong.
Each time a registered client connects to some ADC hub, the hub sends some random data , lets note this data with X. The client concatenates the password with X , and encrypts it. The hub receives this, and sees if the password it stored + the X it sent, matches the data the client sends.
Anybody could very well get the X and the X+password hash. So what? They will be different each time the client connects. So you "hackers" can start sniffing and make a database for each hash the client send. Maybe you get lucky and the random data will be the same once in a while... :D So what? When you want to use it, the hub will send another one =)

There you go.. be happy with your ADC hub.. and dont worry that some wannabe would get your password by any sniffing...
[Additional info : http://en.wikipedia.org/wiki/Salt_%28cryptography%29 ]

Re: ADC Salted passwords

Posted: 14 Nov 2010, 14:46
by klondike
I know that posting in old threads is no good, but I think I can give another reason why SALTs are good: they allow you to store the password encrypted in the DB. This also means that if two users have the same password, the salted password stored in the database would differ.

A reasonably good implementation can be seen in http://en.wikipedia.org/wiki/Digest_acc ... entication Which is currently used by HTTP.

An even better implementation would add a random string after the realm to avoid collisions in case two users share the password in a realm.