From Newsgroup: alt.bbs.synchronet
To: Bob Roberts
Re: Password Ideas
By: Bob Roberts to Michael Long on Thu Oct 15 2020 01:23 pm
Re: Password Ideas
By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am
Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of
emailing forgotten passwords, have a method to reset the password, perhaps with a validation token. --- Synchronet 3.18c-Win32
I'm a bit concerned about the plaintext user password storage as well. But most accounts are created via Telnet which isn't encrypted either... so not sure if its a big win or not. I know Mystic uses PBKDF2 with SHA512-bit hashing.
My understanding of key derivation functions (e.g. PBKDF2) is that nothing can reliably reconstruct the original cleartext (password). This means that the user's password could not be used for protocols with authentication schemes that require the original password to be known on the server (e.g. CRAM-MD5).
We've discussed password encryption here a few times over the years, but we always kind of end up back where we started: we can't really introduce password-security (i.e. even the sysop could never discover a user's actual password, so long as secure protocols were used, e.g. SSH, HTTPS) without eliminating some existing functionality.
digital man
Rush quote #41:
Angels and demons dancing in my head, lunatics and monsters underneath my bed Norco, CA WX: 96.1øF, 17.0% humidity, 7 mph N wind, 0.00 inches rain/24hrs
--- Synchronet 3.18c-Win32 NewsLink 1.113
* Vertrauen - Riverside County, California -
telnet://vert.synchro.net
--- Synchronet 3.19c-Linux NewsLink 1.113