1. Forum
  2. DOVE-Net
  3. Synchronet Programming C+

  • Login / Passwords / Etc.

    From Deepthaw@VERT/DS94 to All on Wed Jul 5 08:58:25 2017
    SBBS is making me get the cobwebs off my programming (My degree is in CS, but my job has zero need for programming) and I've been starting to dig into the source with the hopes of making contributions.

    Would these be viewed as worthwhile changes to submit?

    * Tweak the login procedure to make it more difficult to identify usernames
    ** right now it kicks you back out as soon as you put in an invalid username. A better practice might be to ask for the password even if there isn't a matching username - this keeps attackers from being able to rapidly phish the system for login credentials. (of course, having a published list of users would kind of negate the usefulness of this, but still...)

    * Passwords are stored in plain text and are case insensitive
    ** This is extremely convenient for everybody involved, but it's still a very 90s way of doing things. Hashed and salted passwords (as a SysOp configurable option) would make it so that not even the SysOp would be able to view a user's password. I haven't dug enough into the source to see how feasible this would even be.
    ** The real worry here is an attacker who compromised an SBBS system would have a list of passwords that users potentially used elsewhere. (I had a blurb in my newuser.msg asking them to use a unique password in case the BBS gets hacked or I turn evil.)

    Just looking for places to contribute.

    ---
    þ Synchronet þ Deep Space '94 - deepspace94.com - The Best 1994 Had to Offer
  • From Digital Man@VERT to Deepthaw on Thu Jul 6 00:07:55 2017
    Re: Login / Passwords / Etc.
    By: Deepthaw to All on Wed Jul 05 2017 08:58 am

    SBBS is making me get the cobwebs off my programming (My degree is in CS, but my job has zero need for programming) and I've been starting to dig into the source with the hopes of making contributions.

    Would these be viewed as worthwhile changes to submit?

    * Tweak the login procedure to make it more difficult to identify usernames ** right now it kicks you back out as soon as you put in an invalid username. A better practice might be to ask for the password even if there isn't a matching username - this keeps attackers from being able to rapidly phish the system for login credentials. (of course, having a published list of users would kind of negate the usefulness of this, but still...)

    Simply set SCFG->Nodes->Node 1->Toggle Options->Always Prompt for Password to "Yes". No source code changes needed.

    * Passwords are stored in plain text and are case insensitive
    ** This is extremely convenient for everybody involved, but it's still a very 90s way of doing things. Hashed and salted passwords (as a SysOp configurable option) would make it so that not even the SysOp would be able to view a user's password. I haven't dug enough into the source to see how feasible this would even be.

    You'd break everything and wouldn't be able support the various secure authentication schemes (e.g. CRAM-MD5) already supported by Synchronet services.

    ** The real worry here is an attacker who compromised an SBBS system would have a list of passwords that users potentially used elsewhere. (I had a blurb in my newuser.msg asking them to use a unique password in case the BBS gets hacked or I turn evil.)

    Yup, but there's no simple solution either.

    digital man

    Synchronet "Real Fact" #17:
    "Vertrauen" (ver-trow-en) translates to "trust" in German, and was a band name. Norco, CA WX: 67.4øF, 68.0% humidity, 0 mph S wind, 0.00 inches rain/24hrs
    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ telnet://vert.synchro.net
  • From Mro@VERT/BBSESINF to Deepthaw on Sun Jul 9 16:14:24 2017
    Re: Login / Passwords / Etc.
    By: Deepthaw to All on Wed Jul 05 2017 08:58 am

    SBBS is making me get the cobwebs off my programming (My degree is in CS, but my job has zero need for programming) and I've been starting to dig into the source with the hopes of making contributions.


    it would be good if synchronet had a torrent tracker intergrated into its file system so networked boards could share the same files if they chose to. we could accumulate the largest bbs related filebase this way. or any genre.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Vk3jed@VERT/FREEWAY to Mro on Mon Jul 10 09:52:00 2017
    Mro wrote to Deepthaw <=-

    it would be good if synchronet had a torrent tracker intergrated into
    its file system so networked boards could share the same files if they chose to. we could accumulate the largest bbs related filebase this
    way. or any genre. ---

    That's a neat idea. Bittorrent is an efficient means to distribute files, and for large downloads, it's both faster and more reliable to use Bittorrent. Given a choice between HTTP and Bittorrent, especially if there's an unreliable Internet connection in the path, Bittorrent wins hands down. HTTP sometimes prematurely ends the transfer, but says the file is "complete".

    And if we're carrying the same files (e.g. all nodes on a network), Bittorrent make sense for systems that are Internet connected.


    ... Crayons can take you more places than starships. * Guinan
    --- MultiMail/Win32 v0.49
    þ Synchronet þ Freeway BBS in Bendigo, Australia.