username and password in url? - Page 2

CRGreathouse · 2009-06-23, 16:56

Quote:

Originally Posted by lavalamp

Rainbow tables are good for alphanumeric passwords up to 8 chars in length, and some other types of password that are longer (all lower or all upper case, numeric etc.). Even with a salt, these can be recomputed.

Computing rainbow tables is too computationally expensive for this approach to work. It would take less effort to brute force than to create one-time rainbow tables.

Quote:

Originally Posted by lavalamp

And currently it seems that 200 PS3s in 3 days can find a specific string to match a hash (or 100 in 6 days, 50 in 12 etc.), tomorrows hardware will bring this within reasonable limits, and more and more progress is made in destroying MD5 every day. SHA-1 isn't far behind.

No no no! They weren't able to do a second preimage attack -- that would be a huge failure. They generated a collision, registered one of the colliding hashes for a domain they owned, and used its similarity to the other to register themselves as a CA.

Bad CA policies made it possible to do this stuff with only a collision attack instead of a second preimage attack. A collision attack against MD5 is roughly 2^63 ("millions of trillions") times easier than a (second) preimage attack.

lavalamp · 2009-06-23, 17:21

Ah, I see, not quite as bad as I thought then, in that case I retract what I said.

I still wouldn't use MD5 though. Or SHA-1.

CRGreathouse · 2009-06-23, 18:09

Quote:

Originally Posted by lavalamp

I still wouldn't use MD5 though. Or SHA-1.

Fair enough, that's probably prudent.

lfm · 2009-06-24, 09:08

Ya, I'd say md5 would still probably be fine for GIMPS passwords. I can hardly even imagine anyone spending 3 days with 200 PS3s just to get a GIMPS password when there are so many other targets out there.

lavalamp · 2009-06-24, 11:22

But why bother? It would be no more effort to use a much more secure hash, why not use the absolute best available?

soda · 2009-06-24, 16:57

Who cares how strong the digest is, it's still a really big secruity hole to pass passwords in plaintext. Espically in the url, as you can simply view someones history and obtain thier username and password for this site.

Paulie · 2009-06-27, 17:20

Quote:

Originally Posted by soda

At least pass the passwords as an MD5 checksum to the server this way it won't matter if it's passed in the url or not

If you're sending a fixed username with a fixed hashed password, it makes zero difference if it's plain text or not; it's fixed.

It would need to be salted on each authentication request, which would require passing the salt over an encrypted channel, which sends you down the road of trying to protect the entire transmission over something like TLS, needing certificate generation and key exchanges, management of this infrastructure, and on and on. For what? This is GIMPS not a bank...

Don't use the same login/password combination between sites. Change your password regularly if it worries you. Spend the cycles searching for primes, not multiplying a couple huge ones together to make a key pair... :)

mdettweiler · 2009-06-27, 17:34

Quote:

Originally Posted by Paulie

If you're sending a fixed username with a fixed hashed password, it makes zero difference if it's plain text or not; it's fixed.

It would need to be salted on each authentication request, which would require passing the salt over an encrypted channel, which sends you down the road of trying to protect the entire transmission over something like TLS, needing certificate generation and key exchanges, management of this infrastructure, and on and on. For what? This is GIMPS not a bank...

Don't use the same login/password combination between sites. Change your password regularly if it worries you. Spend the cycles searching for primes, not multiplying a couple huge ones together to make a key pair... :)

Probably, it would be at least beneficial to send a hash of the password instead of a cleartext version. Even if it's still fixed, as you said, this is just GIMPS, not a bank. Having it hashed would at least keep people from being able to read the password itself just by seeing the URL (in case, say, you used the password for other things too--which, despite best practices, a lot of people will always do), while still allowing the option of bookmarking a page to automatically log in (since the hash is fixed).

Paulie · 2009-06-27, 18:15

Quote:

Originally Posted by mdettweiler

Probably, it would be at least beneficial to send a hash of the password instead of a cleartext version. Even if it's still fixed, as you said, this is just GIMPS, not a bank. Having it hashed would at least keep people from being able to read the password itself just by seeing the URL (in case, say, you used the password for other things too--which, despite best practices, a lot of people will always do), while still allowing the option of bookmarking a page to automatically log in (since the hash is fixed).

If you have the login ID and the hash, and the server accepts it in hashed form, I still can't see a difference. So it looks like 29f33cab54c2a8858885b95d8fbb7ff1 in the URL instead of "Password", but it's functionally the same; I just cut and paste. So it's just the shoulder surfing risk? Easy enough for fix, ROT-13 or XOR the password with value of ascii string "42". :)

mdettweiler · 2009-06-27, 18:55

Quote:

Originally Posted by Paulie

If you have the login ID and the hash, and the server accepts it in hashed form, I still can't see a difference. So it looks like 29f33cab54c2a8858885b95d8fbb7ff1 in the URL instead of "Password", but it's functionally the same; I just cut and paste. So it's just the shoulder surfing risk? Easy enough for fix, ROT-13 or XOR the password with value of ascii string "42". :)

As I said in my above message, I know that someone who knows the URL would still be able to get into your account; that's what makes the whole thing with bookmarking an account page work. However, it would prevent people from figuring out what the actual plaintext of the password is, which could be helpful if that user has the same password on other web sites (which may well use a different hashing scheme for their passwords, and thus knowldge of the hash at GIMPS is useless there).

Mini-Geek · 2009-06-27, 19:02

I don't know about you, but it'd be easier for me to remember "Password" than "29f33cab54c2a8858885b95d8fbb7ff" if I happened to see it in the URL.
Is it secure against someone, say, snooping your network traffic? Absolutely not. They could use it directly in your GIMPS account and could probably reverse MD5 it to find your cleartext password.
Does it provide a bit more security against someone happening to see your login info? Absolutely. It's something like replacing passwords with ***** as you type it in.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Get username through public name?	UBR47K	PrimeNet	0	2015-10-11 16:47
I used the wrong username	dchmelik	Information & Answers	0	2010-12-15 08:40
Username fraud	10metreh	Forum Feedback	13	2010-09-10 12:28
How to consolidate 2 Username?	stuymer	PrimeNet	4	2004-02-29 21:33
Many username mismatches between database and Primenet	GP2	Data	5	2003-09-24 21:15

2009-06-23, 17:21	#13
lavalamp Oct 2007 Manchester, UK 5·271 Posts	Ah, I see, not quite as bad as I thought then, in that case I retract what I said. I still wouldn't use MD5 though. Or SHA-1.

2009-06-24, 09:08	#15
lfm Jul 2006 Calgary 5²×17 Posts	Ya, I'd say md5 would still probably be fine for GIMPS passwords. I can hardly even imagine anyone spending 3 days with 200 PS3s just to get a GIMPS password when there are so many other targets out there.

2009-06-24, 11:22	#16
lavalamp Oct 2007 Manchester, UK 5×271 Posts	But why bother? It would be no more effort to use a much more secure hash, why not use the absolute best available?

2009-06-24, 16:57	#17
soda Jun 2009 11₂ Posts	Who cares how strong the digest is, it's still a really big secruity hole to pass passwords in plaintext. Espically in the url, as you can simply view someones history and obtain thier username and password for this site.

2009-06-27, 19:02	#22
Mini-Geek Account Deleted "Tim Sorbera" Aug 2006 San Antonio, TX USA 17×251 Posts	I don't know about you, but it'd be easier for me to remember "Password" than "29f33cab54c2a8858885b95d8fbb7ff" if I happened to see it in the URL. Is it secure against someone, say, snooping your network traffic? Absolutely not. They could use it directly in your GIMPS account and could probably reverse MD5 it to find your cleartext password. Does it provide a bit more security against someone happening to see your login info? Absolutely. It's something like replacing passwords with ***** as you type it in.