ADC Salted passwords

Here are whitepapers on ADC Features that can give you help.
Locked

What do you think about ADC salted passwords compared to NMDC plain-text passwords ?

They are good
3
38%
They are excelent
5
63%
They arent so good
0
No votes
They suck ass
0
No votes
 
Total votes: 8

Pietry
Senior Member
Posts: 328
Joined: 04 Dec 2007, 07:25
Location: Bucharest
Contact:

ADC Salted passwords

Post by Pietry » 24 Jan 2008, 20:23

Ok, what are salted passwords and why should we use them ?
NMDC uses plain text passwords. This means the password is sent to the hub in simple plain text format. Like any chat. Like any banal simple text message you send.
How good is that? If nobody cares about your simple reg account then you can go ahead and tell youre passie to everyone they dont care anyway.
If you got a 8k hub and you worked really hard on it.. then some wannabe hacker could just sniff some text you send to hub. Hows that possible? Well, he could intercept some packages on their route and read them... Could see your password right away. Is that good? Don't know, depends if you like your users being redirect to hell and beyond.
What are salted passwords? Passwords are not being sent plane text. They are sent encrypted.
Found some people asking: "whats the use of that? I can sneak the encryption and sent it , I don't need the password anyway". Thats wrong.
Each time a registered client connects to some ADC hub, the hub sends some random data , lets note this data with X. The client concatenates the password with X , and encrypts it. The hub receives this, and sees if the password it stored + the X it sent, matches the data the client sends.
Anybody could very well get the X and the X+password hash. So what? They will be different each time the client connects. So you "hackers" can start sniffing and make a database for each hash the client send. Maybe you get lucky and the random data will be the same once in a while... :D So what? When you want to use it, the hub will send another one =)

There you go.. be happy with your ADC hub.. and dont worry that some wannabe would get your password by any sniffing...
[Additional info : http://en.wikipedia.org/wiki/Salt_%28cryptography%29 ]
Just someone

klondike
Member
Posts: 73
Joined: 14 Nov 2010, 13:06

Re: ADC Salted passwords

Post by klondike » 14 Nov 2010, 14:46

I know that posting in old threads is no good, but I think I can give another reason why SALTs are good: they allow you to store the password encrypted in the DB. This also means that if two users have the same password, the salted password stored in the database would differ.

A reasonably good implementation can be seen in http://en.wikipedia.org/wiki/Digest_acc ... entication Which is currently used by HTTP.

An even better implementation would add a random string after the realm to avoid collisions in case two users share the password in a realm.

Locked