1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Password Ideas

    From Michael Long@VERT to alt.bbs.synchronet on Thu Oct 15 06:57:30 2020
    From Newsgroup: alt.bbs.synchronet

    I'd like to suggest maybe not using O/0 and l/1 in the auto-generated passwords, as it can be a bit confusing depending on the terminal/font

    Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of emailing forgotten passwords, have a method to reset the password, perhaps with a validation token.
    --- Synchronet 3.18c-Win32 NewsLink 1.113
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Bob Roberts@VERT/HOVAL to Michael Long on Thu Oct 15 13:23:33 2020
    Re: Password Ideas
    By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

    Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of
    emailing forgotten passwords, have a method to reset the password, perhaps with a validation token. --- Synchronet 3.18c-Win32

    I'm a bit concerned about the plaintext user password storage as well. But most accounts are created via Telnet which isn't encrypted either... so not sure if its a big win or not. I know Mystic uses PBKDF2 with SHA512-bit hashing.


    |08~|07Bob|06Rob|08~


    ... Profanity is the one language all programmers know best.

    ---
    ■ Synchronet ■ Halls of Valhalla <> San Francisco <> hovalbbs.com
  • From Digital Man@VERT to Bob Roberts on Thu Oct 15 13:49:11 2020
    Re: Password Ideas
    By: Bob Roberts to Michael Long on Thu Oct 15 2020 01:23 pm

    Re: Password Ideas
    By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

    Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of
    emailing forgotten passwords, have a method to reset the password, perhaps with a validation token. --- Synchronet 3.18c-Win32

    I'm a bit concerned about the plaintext user password storage as well. But most accounts are created via Telnet which isn't encrypted either... so not sure if its a big win or not. I know Mystic uses PBKDF2 with SHA512-bit hashing.

    My understanding of key derivation functions (e.g. PBKDF2) is that nothing can reliably reconstruct the original cleartext (password). This means that the user's password could not be used for protocols with authentication schemes that require the original password to be known on the server (e.g. CRAM-MD5).

    We've discussed password encryption here a few times over the years, but we always kind of end up back where we started: we can't really introduce password-security (i.e. even the sysop could never discover a user's actual password, so long as secure protocols were used, e.g. SSH, HTTPS) without eliminating some existing functionality.

    digital man

    Rush quote #41:
    Angels and demons dancing in my head, lunatics and monsters underneath my bed Norco, CA WX: 96.1°F, 17.0% humidity, 7 mph N wind, 0.00 inches rain/24hrs
    ---
    ■ Synchronet ■ Vertrauen ■ Home of Synchronet ■ [vert/cvs/bbs].synchro.net
  • From MRO@VERT/BBSESINF to Michael Long on Thu Oct 15 20:24:17 2020
    Re: Password Ideas
    By: Michael Long to alt.bbs.synchronet on Thu Oct 15 2020 06:57 am

    From Newsgroup: alt.bbs.synchronet

    I'd like to suggest maybe not using O/0 and l/1 in the auto-generated passwords, as it can be a bit confusing depending on the terminal/font

    Also obviously it is a product of its time, but at some point it might be nice to encrypt the passwords and also instead of emailing forgotten passwords, have a method to reset the password, perhaps with a validation token.

    i disagree with your first request but support fully your requests on passwords ---
    ■ Synchronet ■ ::: BBSES.info - free BBS services :::