Password crypt unsafe

GodFarmer
Noobie

Posts: 10

Re:Password crypt unsafe

« Reply #15 on: December 29, 2002, 01:53:49 AM »

Quote from: [Unknown] on December 28, 2002, 07:25:09 PMThis issue is perhaps a problem, and I'm sure (I think) that it will be looked at in the creation of YaBBSE 2. However, I think it's not so critical as to warant change in the current release (imho). If you want anything done about it, persuade someone (like me, just ask) to make a mod for it.

I appreciate the offer, but the modifications are extremely simple. If you really need to have it spelt out in a mod though:

http://www.yabbse.org/community/index.php?board=158;action=display;threadid=16518

On my system, this manages a smooth transition to MD5 for newly stored password while retaining backwards compatibility with previously stored passwords.

Regards, Bruno.


	Logged

David
Destroyer Dave
Global Moderator
YaBB God

Posts: 5761

I'm not a llama!

Re:Password crypt unsafe

« Reply #16 on: December 29, 2002, 02:03:19 AM »

I still don't think you get what I said. It uses as you said a RANDOM salt. This salt is different every time you call crypt. Thus how would you ever compare an entered password and the one in the database?


	Logged

Forum-Forum.com, A Forum For Forum Owners and Enthusiasts!

GodFarmer
Noobie

Posts: 10

Re:Password crypt unsafe

« Reply #17 on: December 29, 2002, 02:16:29 AM »

Quote from: David on December 29, 2002, 02:03:19 AMI still don't think you get what I said. It uses as you said a RANDOM salt. This salt is different every time you call crypt. Thus how would you ever compare an entered password and the one in the database?

The random salt is included in the crypted form of the password. Therefore, you must provide the crypted form (or at least the salt extracted from the crypted form) upon crypting the user input. This way the user input can be crypted with the same salt that was previously used.

For example with DES, the salt is included as the first two characters of the encrypted form. [That's why with the old scheme, every encrypted password started with the same two characters as the clear password: because those characters were used as salt]

This works, my mod's there to prove it! For more info, check any documentation on the standard crypt function...

Regards, Bruno.


	Logged

GodFarmer
Noobie

Posts: 10

Re:Password crypt unsafe

« Reply #18 on: December 29, 2002, 02:44:12 AM »

David, to continue kervel's example...

Storing the password:
random() -> 'bl'
crypt('secret','bl') -> blRZeRor8Mgr2

Storing the same password:
random() -> 'ar'
crypt('secret','ar') -> arxbmSLDgaJk.

Verifying user input 'lala' against encrypted password blRZeRor8Mgr2:
extract first two characters from blRZeRor8Mgr2 -> bl
crypt('lala','bl') -> blXH3v2KIh5Y. != blRZeRor8Mgr2 so reject login!

Verifying user input 'lala' against encrypted password arxbmSLDgaJk.:
extract first two characters from arxbmSLDgaJk. -> ar
crypt('lala','ar') -> arxY7QuUWe2sI != arxbmSLDgaJk. so reject login!

Verifying user input 'secret' against encrypted password blRZeRor8Mgr2:
extract first two characters from blRZeRor8Mgr2 -> bl
crypt('secret', 'bl') -> blRZeRor8Mgr2 == blRZeRor8Mgr2 so accept login!

Verifying user input 'secret' against encrypted password arxbmSLDgaJk.:
extract first two characters from arxbmSLDgaJk. -> ar
crypt('secret','ar') -> arxbmSLDgaJk. == arxbmSLDgaJk. so accept login!

Regards, Bruno.


	Logged

Pages: 1 [2]

YaBB SE Community \| General Category \| Feedback \| Password crypt unsafe	« previous - next »

	Welcome, Guest. Please Login or Register. April 27, 2025, 05:59:05 PM

News: SMF is the next generation in forum software, almost completely re-written from the ground up, make sure you don't fall for cheap imitations that suffer from feature bloat!