Password Security

Revision as of 14:08, 11 July 2020 by Russell (talk | contribs) (Add a bit more information)
Jump to navigation Jump to search

BNC4FREE as a service stores and retains password hashes and understands how important it is to keep passwords safe and secure. This document outlines recommendations for users when setting passwords and also how we store them and ensure they cannot be decrypted.

General Password Security

Your password for your account should be secure. We recommend the following:

  • Use atleast one or more upper case letters
  • Use atleast one or more lower case letters
  • Use atleast one or more numbers
  • Use atleast one or more symbols (!"£$%^&* etc...)
  • DON'T keep the default the password that we email you (because if someone hacks your email, they'll find it)

How we store passwords

Our software is based on ZNC which encrypts users passwords into SHA256 using a random salt. This is how it looks in the configuration:

<Pass password>
      Hash = 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
      Method = SHA256
      Salt = I_I/zCQ,mWmr-trTaNKK

Because of the way this is encrypted and salted it is impossible for us to decrypt the password.

How we can use this information

We can use your password hash and salt to allow you to login to our website and wiki. It should be emphasized that we don't know your password. By knowing the password hash and its salt we are able to verify that the password you enter is correct. What this means (in a nutshell) is that when you enter your password into the password field and its submitted, we encrypt it with the salt from ZNC and if the hash matches, it is a successful login.


We are able to query ZNC for the password hash and salt to authenticate users. Below are examples of how sha256 along with the hash and salt provided from ZNC can be used to verify whether the password is correct.

Using our API we can use the User/Info callback to retrieve the password information. It is returned to us in this format:

   "status" : "success",
   "MyUsername" : {
                        ..other info...
                           "password" : {
                           "salt" : "I_I/zCQ,mWmr-trTaNKK",
                           "hash" : "69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20",
                           "type" : 2
                        ..other info...

The below Python 2 script demonstrates how we can determine a successful login

import sys
import uuid
import hashlib
_hashedText, salt = ("69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20", "I_I/zCQ,mWmr-trTaNKK")
hashedTexti = hashlib.sha256("ThisIsSparta".encode() + salt).hexdigest()
print "Match From Text: (ZNC Hash: " + _hashedText + " --> HashLib Hash: " + hashedTexti + ")"

The result we get is as follows:

ZNC Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20 --> HashLib Hash: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20

Here is a PHP example of the same

$salt = "I_I/zCQ,mWmr-trTaNKK";
$pw = "ThisIsSparta";
echo "Expected: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20\r\n";
echo "Returned: ".hash('sha256', $pw.$salt);

The result we get here is:

Expected: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20
Returned: 69d186dc7a809157f98f3593c66148331eb57d59de34b40b24716e095c7acd20