A REG command proposal

Ideas for ADC may be presented here for others to review and point out flaws or further improve the idea.
Forum rules
If you have an account on the wiki, remember to update the ADC Proposals page for new ideas.

http://dcbase.org/wiki/ADC_Proposals_list
Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

Re: A REG command proposal

Post by Pietry » 05 Aug 2009, 07:02

Even if the hub does not know the original password, it knows the hash, which is more than enough to use it.
Just someone

Dj_Offset
Member
Posts: 53
Joined: 15 Sep 2008, 21:48
Location: adcs://adcs.uhub.org:1511
Contact:

Re: A REG command proposal

Post by Dj_Offset » 05 Aug 2009, 12:10

if the password is bad it is still easy to crack it using tools, such as john or jack to crack it in minutes.

darkKlor
Senior Member
Posts: 100
Joined: 30 Dec 2008, 14:59

Re: A REG command proposal

Post by darkKlor » 05 Aug 2009, 13:04

Very true. Anybody determined is going to get at the password one way or another. But they do have to be bothered. I just don't like the fact that a casual glance at the hub software or a settings file will show everybody's passwords.

Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

Re: A REG command proposal

Post by Pietry » 05 Aug 2009, 13:24

darkKlor wrote:Very true. Anybody determined is going to get at the password one way or another. But they do have to be bothered. I just don't like the fact that a casual glance at the hub software or a settings file will show everybody's passwords.
it doesn't matter if they see the passwords or the hash it's the same thing
Just someone

Crise
Senior Member
Posts: 139
Joined: 10 Nov 2007, 21:34

Re: A REG command proposal

Post by Crise » 06 Aug 2009, 00:21

I'll say this... ADC does not send passwords in plain text anymore (which is good), so if we start from there it would make sense that any protocol extensions dealing with passwords not to do that (send password in plain text) either.

That said, I haven't read either of the proposals by darkKlor so I do not know how he hashes the passwords and in which instances, but remember that how hub software stores its settings files or what it displays to the admin/user is not something the protocol really should try to affect on (which is what he seems to want in regards to passwords).

Regardless... no matter what you do with passwords the persistent will always be rewarded, however, I do agree with darkKlor in that it should never be made too easy for anyone to find out a users password (not even the hub host/admin).

See the first point made though, because the idea of protocol not sending passwords in plain text (which is protection against packet sniffing, I assume) will be defeated if an extension does it no matter what the extensions for.

Post Reply