Difference between revisions of "Password Security"

From BNC4FREE
Jump to navigation Jump to search
(A bit about how we can use password hashes for the great good)
 
m (Changed protection level for "Password Security": No need to move the page ([Edit=⧼protect-level-staff⧽] (indefinite) [Move=Allow only administrators] (indefinite)))
 
(8 intermediate revisions by the same user not shown)
Line 15: Line 15:
  
 
  <Pass password>
 
  <Pass password>
       Hash = c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431
+
       Hash = 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
 
       Method = SHA256
 
       Method = SHA256
       Salt = _p,7G4::X1pqh_.Y7O(U
+
       Salt = I_I/zCQ,mWmr-trTaNKK
 
  </Pass>
 
  </Pass>
  
Line 30: Line 30:
 
We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.
 
We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.
  
 +
Using our [[API|API]] we can use the [[API:User/Info|User/Info]] callback to retrieve the password information. It is returned to us in this format:
 +
 +
{
 +
    "status" : "success",
 +
    "MyUsername" : {
 +
                        ..other info...
 +
                        "password" : {
 +
                            "salt" : "I_I/zCQ,mWmr-trTaNKK",
 +
                            "hash" : "69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20",
 +
                            "type" : 2
 +
                        }
 +
                        ..other info...
 +
    }
 +
}
 +
 +
 +
=== Python ===
 
The below Python 2 script demonstrates how we can determine a successful login
 
The below Python 2 script demonstrates how we can determine a successful login
  
Line 35: Line 52:
 
  import uuid
 
  import uuid
 
  import hashlib
 
  import hashlib
  _hashedText, salt = ("c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431", "_p,7G4::X1pqh_.Y7O(U")
+
  _hashedText, salt = ("69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20", "I_I/zCQ,mWmr-trTaNKK")
 
  hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
 
  hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
 
  print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"
 
  print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"
  
 
The result we get is as follows:
 
The result we get is as follows:
  ZNC Hash: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431 --> HashLib Hash: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431
+
  ZNC Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20 --> HashLib Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
  
Here is a PHP example of the same
+
=== PHP ===
 +
Here is a PHP script that demonstrates how we can determine a successful login
  
 
  <?php
 
  <?php
  $salt = "_p,7G4::X1pqh_.Y7O(U";
+
// This will be the password submitted via a form that we never get to see or log... the rest is handled by the API and SHA256
  $pw = "ThisIsSparta";
+
  $Username = "TestMe";
  echo "Expected: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431\r\n";
+
$Password = "TestMe";
  echo "Returned: ".hash('sha256', $pw.$salt);
+
$APIVars = http_build_query(Array('username' => $Username, 'server' => 'Staging', 'key' => 'a83e9244173a05a041586e47f36d555d87b587467d535bccd57184eb17d81bf7'));
 +
$HTTPOpts = array('http' =>
 +
    array(
 +
        'method'  => 'POST',
 +
        'header'  => 'Content-Type: application/x-www-form-urlencoded',
 +
        'content' => $APIVars,
 +
        'ssl'  =>      array(
 +
                'verify_peer'=>false,
 +
                'verify_peer_name'=>false
 +
        ),
 +
    )
 +
);
 +
$HTTPContext  = stream_context_create($HTTPOpts);
 +
$APIResult = file_get_contents('<nowiki>https://api.bnc4free.com/user/info</nowiki>', false, $HTTPContext);
 +
$APIResult = json_decode($APIResult, true);
 +
$api_hash = $APIResult[$Username]['password']['hash'];
 +
  $api_salt = $APIResult[$Username]['password']['salt'];
 +
  echo "Expected Hash: ".$APIResult[$Username]['password']['hash']."\r\n";
 +
  echo "Hash from API: ".hash('sha256', $Password.$api_salt);
 
  ?>
 
  ?>
  
 
The result we get here is:
 
The result we get here is:
  Expected: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431
+
  Expected Hash: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f
  Returned: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431
+
  Hash from API: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f

Latest revision as of 18:24, 11 January 2021

BNC4FREE as a service stores and retains password hashes and understands how important it is to keep passwords safe and secure. This document outlines recommendations for users when setting passwords and also how we store them and ensure they cannot be decrypted.

General Password Security

Your password for your account should be secure. We recommend the following:

  • Use atleast one or more upper case letters
  • Use atleast one or more lower case letters
  • Use atleast one or more numbers
  • Use atleast one or more symbols (!"£$%^&* etc...)
  • DON'T keep the default the password that we email you (because if someone hacks your email, they'll find it)

How we store passwords

Our software is based on ZNC which encrypts users passwords into SHA256 using a random salt. This is how it looks in the configuration:

<Pass password>
      Hash = 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
      Method = SHA256
      Salt = I_I/zCQ,mWmr-trTaNKK
</Pass>

Because of the way this is encrypted and salted it is impossible for us to decrypt the password.

How we can use this information

We can use your password hash and salt to allow you to login to our website and wiki. It should be emphasized that we don't know your password. By knowing the password hash and its salt we are able to verify that the password you enter is correct. What this means (in a nutshell) is that when you enter your password into the password field and its submitted, we encrypt it with the salt from ZNC and if the hash matches, it is a successful login.

Examples

We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.

Using our API we can use the User/Info callback to retrieve the password information. It is returned to us in this format:

{
   "status" : "success",
   "MyUsername" : {
                        ..other info...
                        "password" : {
                           "salt" : "I_I/zCQ,mWmr-trTaNKK",
                           "hash" : "69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20",
                           "type" : 2
                        }
                        ..other info...
   }
}


Python

The below Python 2 script demonstrates how we can determine a successful login

import sys
import uuid
import hashlib
_hashedText, salt = ("69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20", "I_I/zCQ,mWmr-trTaNKK")
hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"

The result we get is as follows:

ZNC Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20 --> HashLib Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20

PHP

Here is a PHP script that demonstrates how we can determine a successful login

<?php
// This will be the password submitted via a form that we never get to see or log... the rest is handled by the API and SHA256
$Username = "TestMe";
$Password = "TestMe";
$APIVars = http_build_query(Array('username' => $Username, 'server' => 'Staging', 'key' => 'a83e9244173a05a041586e47f36d555d87b587467d535bccd57184eb17d81bf7'));
$HTTPOpts = array('http' =>
   array(
       'method'  => 'POST',
       'header'  => 'Content-Type: application/x-www-form-urlencoded',
       'content' => $APIVars,
       'ssl'   =>      array(
               'verify_peer'=>false,
               'verify_peer_name'=>false
       ),
   )
);
$HTTPContext  = stream_context_create($HTTPOpts);
$APIResult = file_get_contents('https://api.bnc4free.com/user/info', false, $HTTPContext);
$APIResult = json_decode($APIResult, true);
$api_hash = $APIResult[$Username]['password']['hash'];
$api_salt = $APIResult[$Username]['password']['salt'];
echo "Expected Hash: ".$APIResult[$Username]['password']['hash']."\r\n";
echo "Hash from API: ".hash('sha256', $Password.$api_salt);
?>

The result we get here is:

Expected Hash: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f
Hash from API: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f