Password Security

From BNC4FREE
Revision as of 13:55, 11 July 2020 by Russell (talk | contribs) (A bit about how we can use password hashes for the great good)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

BNC4FREE as a service stores and retains password hashes and understands how important it is to keep passwords safe and secure. This document outlines recommendations for users when setting passwords and also how we store them and ensure they cannot be decrypted.

General Password Security

Your password for your account should be secure. We recommend the following:

  • Use atleast one or more upper case letters
  • Use atleast one or more lower case letters
  • Use atleast one or more numbers
  • Use atleast one or more symbols (!"£$%^&* etc...)
  • DON'T keep the default the password that we email you (because if someone hacks your email, they'll find it)

How we store passwords

Our software is based on ZNC which encrypts users passwords into SHA256 using a random salt. This is how it looks in the configuration:

<Pass password>
      Hash = c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431
      Method = SHA256
      Salt = _p,7G4::X1pqh_.Y7O(U
</Pass>

Because of the way this is encrypted and salted it is impossible for us to decrypt the password.

How we can use this information

We can use your password hash and salt to allow you to login to our website and wiki. It should be emphasized that we don't know your password. By knowing the password hash and its salt we are able to verify that the password you enter is correct. What this means (in a nutshell) is that when you enter your password into the password field and its submitted, we encrypt it with the salt from ZNC and if the hash matches, it is a successful login.

Examples

We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.

The below Python 2 script demonstrates how we can determine a successful login

import sys
import uuid
import hashlib
_hashedText, salt = ("c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431", "_p,7G4::X1pqh_.Y7O(U")
hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"

The result we get is as follows:

ZNC Hash: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431 --> HashLib Hash: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431

Here is a PHP example of the same

<?php
$salt = "_p,7G4::X1pqh_.Y7O(U";
$pw = "ThisIsSparta";
echo "Expected: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431\r\n";
echo "Returned: ".hash('sha256', $pw.$salt);
?>

The result we get here is:

Expected: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431 
Returned: c124573b72475cc57c50d6111da148e79e22a4ba744587d9c0d04d1b49db6431