Password Security

From BNC4FREE
Revision as of 18:10, 11 January 2021 by Russell (talk | contribs) (Protected "Password Security": Important Information: Staff should be able to add/edit things here if necessary ([Edit=⧼protect-level-staff⧽] (indefinite) [Move=⧼protect-level-staff⧽] (indefinite)))
Jump to navigation Jump to search

BNC4FREE as a service stores and retains password hashes and understands how important it is to keep passwords safe and secure. This document outlines recommendations for users when setting passwords and also how we store them and ensure they cannot be decrypted.

General Password Security

Your password for your account should be secure. We recommend the following:

  • Use atleast one or more upper case letters
  • Use atleast one or more lower case letters
  • Use atleast one or more numbers
  • Use atleast one or more symbols (!"£$%^&* etc...)
  • DON'T keep the default the password that we email you (because if someone hacks your email, they'll find it)

How we store passwords

Our software is based on ZNC which encrypts users passwords into SHA256 using a random salt. This is how it looks in the configuration:

<Pass password>
      Hash = 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
      Method = SHA256
      Salt = I_I/zCQ,mWmr-trTaNKK
</Pass>

Because of the way this is encrypted and salted it is impossible for us to decrypt the password.

How we can use this information

We can use your password hash and salt to allow you to login to our website and wiki. It should be emphasized that we don't know your password. By knowing the password hash and its salt we are able to verify that the password you enter is correct. What this means (in a nutshell) is that when you enter your password into the password field and its submitted, we encrypt it with the salt from ZNC and if the hash matches, it is a successful login.

Examples

We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.

Using our API we can use the User/Info callback to retrieve the password information. It is returned to us in this format:

{
   "status" : "success",
   "MyUsername" : {
                        ..other info...
                        "password" : {
                           "salt" : "I_I/zCQ,mWmr-trTaNKK",
                           "hash" : "69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20",
                           "type" : 2
                        }
                        ..other info...
   }
}


Python

The below Python 2 script demonstrates how we can determine a successful login

import sys
import uuid
import hashlib
_hashedText, salt = ("69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20", "I_I/zCQ,mWmr-trTaNKK")
hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"

The result we get is as follows:

ZNC Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20 --> HashLib Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20

PHP

Here is a PHP script that demonstrates how we can determine a successful login

<?php
// This will be the password submitted via a form that we never get to see or log... the rest is handled by the API and SHA256
$Username = "TestMe";
$Password = "TestMe";
$APIVars = http_build_query(Array('username' => $Username, 'server' => 'Staging', 'key' => 'a83e9244173a05a041586e47f36d555d87b587467d535bccd57184eb17d81bf7'));
$HTTPOpts = array('http' =>
   array(
       'method'  => 'POST',
       'header'  => 'Content-Type: application/x-www-form-urlencoded',
       'content' => $APIVars,
       'ssl'   =>      array(
               'verify_peer'=>false,
               'verify_peer_name'=>false
       ),
   )
);
$HTTPContext  = stream_context_create($HTTPOpts);
$APIResult = file_get_contents('https://api.bnc4free.com/user/info', false, $HTTPContext);
$APIResult = json_decode($APIResult, true);
$api_hash = $APIResult[$Username]['password']['hash'];
$api_salt = $APIResult[$Username]['password']['salt'];
echo "Expected Hash: ".$APIResult[$Username]['password']['hash']."\r\n";
echo "Hash from API: ".hash('sha256', $Password.$api_salt);
?>

The result we get here is:

Expected Hash: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f
Hash from API: 22a61bc477465fef04548c31416b34962ee55e371627ef2007f58a6a08327c7f