First of all, eventhouhg the subject looks a bit pompuous I really mean this in a positive way, I find Subsonic to be one of the best media streaming application there is, supporting HTTPS, fully open source, free, GPL... Nothing more to ask really...
Except today I forgot my password (not using the web login much to be honest), and I remembered from looking at the code that the encryption strings weren't really encrypted, more like UTF8 encoded.
So... I just opened the DB, grepped the string, and used http://software.hixie.ch/utilities/cgi/ ... f8-decoder to get the decoded string.
This brings me to the core of my post: UTF8 Encoding is not a secure way to store passwords.
Now, I know I'm connecting over HTTPS and everything so the "enc:<UTF8-encode>" string shouldn't get leaked through my connection (I shudder thinking about users not using HTTPS), but in the end the password doesn't need to be reversible, is stored locally on a shared folder and therefore could be using valid crypto.
I know it's a bit more code (eventhough in java it ain't that much, and using standard libraries would help even more secure storage in the future), and I probably even could do it if I find/have the time, but my recommendation would be to :
- Not use UTF8-encode or any home-made recipe, especially for the online login, even more for the local storage of passwords (especially in default-setup on cross-user accessible folders like C:\subsonic on a Win box).
- Seed the password with a long random number (per install, per release, whatever).
- Then use at least SHA-1 or SHA-256 to hash the password.
- Then stretch the hash a bit (run it a couple of thousands time, see https://secure.wikimedia.org/wikipedia/ ... stretching or https://secure.wikimedia.org/wikipedia/en/wiki/PBKDF2)
So if someone's got time to change encrypt/decrypt(String s), that would be insanely great !
UTF8 encoding is not valid encryption.
Moderator: moderators
2 posts
• Page 1 of 1
UTF8 encoding is not valid encryption.
by bobber » Wed Sep 07, 2011 2:33 am
- bobber
- Posts: 2
- Joined: Fri Jul 22, 2011 8:59 pm
Re: UTF8 encoding is not valid encryption.
by BinaryBuddha » Mon Sep 19, 2011 10:35 pm
I was about to flame you for your subject line. (Yes, it's not valid encryption... Because it's not an encryption algorithm at all.)
Luckily, I read on. Yes, I agree with you. CLEARTEXT passwords should not be stored in the DB. I'm new to using SS, so I don't know if you can currently use different authentication services; i.e. LDAP and /etc/shadow, to login into SS. I do remember seeing a couple of threads in here about trying to that type of setup together.
Luckily, I read on. Yes, I agree with you. CLEARTEXT passwords should not be stored in the DB. I'm new to using SS, so I don't know if you can currently use different authentication services; i.e. LDAP and /etc/shadow, to login into SS. I do remember seeing a couple of threads in here about trying to that type of setup together.
- BinaryBuddha
- Posts: 4
- Joined: Mon Sep 19, 2011 10:06 pm
2 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 2 guests