Page 2 of 2

Re: A REG command proposal

Posted: 05 Aug 2009, 07:02
by Pietry
Even if the hub does not know the original password, it knows the hash, which is more than enough to use it.

Re: A REG command proposal

Posted: 05 Aug 2009, 12:10
by Dj_Offset
if the password is bad it is still easy to crack it using tools, such as john or jack to crack it in minutes.

Re: A REG command proposal

Posted: 05 Aug 2009, 13:04
by darkKlor
Very true. Anybody determined is going to get at the password one way or another. But they do have to be bothered. I just don't like the fact that a casual glance at the hub software or a settings file will show everybody's passwords.

Re: A REG command proposal

Posted: 05 Aug 2009, 13:24
by Pietry
darkKlor wrote:Very true. Anybody determined is going to get at the password one way or another. But they do have to be bothered. I just don't like the fact that a casual glance at the hub software or a settings file will show everybody's passwords.
it doesn't matter if they see the passwords or the hash it's the same thing

Re: A REG command proposal

Posted: 06 Aug 2009, 00:21
by Crise
I'll say this... ADC does not send passwords in plain text anymore (which is good), so if we start from there it would make sense that any protocol extensions dealing with passwords not to do that (send password in plain text) either.

That said, I haven't read either of the proposals by darkKlor so I do not know how he hashes the passwords and in which instances, but remember that how hub software stores its settings files or what it displays to the admin/user is not something the protocol really should try to affect on (which is what he seems to want in regards to passwords).

Regardless... no matter what you do with passwords the persistent will always be rewarded, however, I do agree with darkKlor in that it should never be made too easy for anyone to find out a users password (not even the hub host/admin).

See the first point made though, because the idea of protocol not sending passwords in plain text (which is protection against packet sniffing, I assume) will be defeated if an extension does it no matter what the extensions for.