Jump to content

Add Pepper to Your Passwords


Recommended Posts

Many people nowadays fail to lead a server. They also don't take responsibilities for their failure. There's a huge risk in security in these times where databases are getting leaked and account tables released. That's why I want to give you something for free. I'm not into showing "great c++ skills", it's just the fact that securing private data is the most important thing an admin should do.

 

So. Here is the simple solution. Nothing too fancy but it'll do it's job. A players password is stored with the built-in mysql function "password()". But as you already know people are too dumb to create more complex passwords. And there's always the risk of you getting your database leaked. It's easy to use rainbow tables to restore the original password out of its hash. A simple solution: pepper.

 

Pepper will automatically raise the password length by itself and therefore modify the hash you'll receive at last. It's just a simple "extension" if you want to call it like that. For this we think of a special letter like "test12356789". Now let's simply add it to every password you're using to log in.

 

1. find CInputAuth::Login in input_auth.cpp

 

2. above char szPasswd[PASSWD_MAX_LEN * 2 + 1]; we can add:

const char pepper[] = "test123456789"; //make sure to change this!

 

And then modify szPasswd[PASSWD_MAX_LEN * 2 + 1]; we earlier found to:

char szPasswd[PASSWD_MAX_LEN * 2 + 1 + strlen(pepper)];

 

3. Above // CHANNEL_SERVICE_LOGIN we can simply add:

strcat(szPasswd, pepper);

 

 

The code is simple. We declared a char variable and put our text into it. We modified our szPasswd-variable because we want to append our text to it with strcat. Note that strcat removes the old null-termination character, that's why we can safely use strlen without adding +1.

 

That's all. Compile it and you're ready to go.

Make sure you're also adapting your homepage to pepper. Just do the same trick. If you're on a running system and want to add pepper, then just force your users to change their paswords.

With this addition rainbowtables will most likely be useless. People would have to create new rainbow tables that are adapted to your pepper-variable. Nobody would do that especially since they don't know what you actually typed in there. Just make sure nobody knows what you used as your pepper variable.

I know it's nothing that big. But the topic is too serious and I guess most people don't even know the existence of pepper.

 

Oh and there's also a better security than this: Protect your users data.

That's all.

  • Love 13

what would you do in a battle of survival?

It's coming soon

Link to comment
  • Replies 7
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

It's quite easy to add it to your homepage. Just concatenate the password string you'd normally use for your query with the pepper variable.

 

Changing the whole encryption is a bit overkill I think. It'd only cost more performance without having a significant impact on your security.

  • Love 1

what would you do in a battle of survival?

It's coming soon

Link to comment

I've found a maybe better solution that's even easier to implement. First make sure you selected the account database:

use account;

 

Then you can run the following query to create your function. Make sure to replace the peppervariable with something of your own!

 

CREATE FUNCTION enc_pw(s CHAR(24)) RETURNS CHAR(50) DETERMINISTIC RETURN PASSWORD(CONCAT("thisisyourpeppervariable", s));

 

Then you won't have to add your pepper variable anywhere. Just use the enc_pw() function in your queries. For example:

SELECT enc_pw('testpassword');

 

This'll return the password you need.

 

Pros:

+ No need to store your pepper variable anywhere at your webserver etc.

+ Easy to use implementation

+ Easy changeable. You can for example add AES-encryption which is also supported by mysql to your function.

 

The function is persistent. It'll even be there after a reboot.

If you change something you'll first have to drop the old function:

DROP FUNCTION enc_pw;

 

Simple as that. In your source code you'll only have to edit input_auth.cpp to simply use enc_pw() instead of PASSWORD() for your query. You can also use the function at your webserver. So people who could've get access to your webserver won't be able to retreive your peppervariable. In addition: You can, as I stated, change the encryption completely. You can for example use SHA2(), AES or anything else that comes into your mind to even further encrypt it - twice if needed. Hackers won't know what encryption algorithm you're using. They'll be clueless unless they get to see the actual function. If you manage your permissions right and only allow your homepage user acces to the tables itself (You'll only need select, insert and update for some tables, NOT the actual database itself) people won't even be able to have insight to the function. You can test it. Log in as your homepage user, select the database account and run the following command:

SHOW CREATE FUNCTION enc_pw;

If it shows you the function routine, then you have permission to do so and you should lower the permission you give to your homepage account.

 

If used wisely it's a very secure procedure.

  • Love 2

what would you do in a battle of survival?

It's coming soon

Link to comment
  • 5 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.