Add Pepper to Your Passwords

[Isolation 53]

Many people nowadays fail to lead a server. They also don't take responsibilities for their failure. There's a huge risk in security in these times where databases are getting leaked and account tables released. That's why I want to give you something for free. I'm not into showing "great c++ skills", it's just the fact that securing private data is the most important thing an admin should do.

 

So. Here is the simple solution. Nothing too fancy but it'll do it's job. A players password is stored with the built-in mysql function "password()". But as you already know people are too dumb to create more complex passwords. And there's always the risk of you getting your database leaked. It's easy to use rainbow tables to restore the original password out of its hash. A simple solution: pepper.

 

Pepper will automatically raise the password length by itself and therefore modify the hash you'll receive at last. It's just a simple "extension" if you want to call it like that. For this we think of a special letter like "test12356789". Now let's simply add it to every password you're using to log in.

 

1. find CInputAuth::Login in input_auth.cpp

 

2. above char szPasswd[PASSWD_MAX_LEN * 2 + 1]; we can add:

const char pepper[] = "test123456789"; //make sure to change this!

 

And then modify szPasswd[PASSWD_MAX_LEN * 2 + 1]; we earlier found to:

char szPasswd[PASSWD_MAX_LEN * 2 + 1 + strlen(pepper)];

 

3. Above // CHANNEL_SERVICE_LOGIN we can simply add:

strcat(szPasswd, pepper);

 

 

The code is simple. We declared a char variable and put our text into it. We modified our szPasswd-variable because we want to append our text to it with strcat. Note that strcat removes the old null-termination character, that's why we can safely use strlen without adding +1.

 

That's all. Compile it and you're ready to go.

Make sure you're also adapting your homepage to pepper. Just do the same trick. If you're on a running system and want to add pepper, then just force your users to change their paswords.

With this addition rainbowtables will most likely be useless. People would have to create new rainbow tables that are adapted to your pepper-variable. Nobody would do that especially since they don't know what you actually typed in there. Just make sure nobody knows what you used as your pepper variable.

I know it's nothing that big. But the topic is too serious and I guess most people don't even know the existence of pepper.

 

Oh and there's also a better security than this: Protect your users data.

That's all.

[xP3NG3Rx 19072]

Hm, it's a good idea, thanks

[ionutxp 71]

Also we can use something like this: http://www.example-code.com/vcpp/crypt2_blowfish_matchPhp.aspand replace entirely mysql`s builtin password function.

[Galet 496]

Wow ! Thanks ! But how to add pepper to our homepage ?

[Isolation 53]

It's quite easy to add it to your homepage. Just concatenate the password string you'd normally use for your query with the pepper variable.

 

Changing the whole encryption is a bit overkill I think. It'd only cost more performance without having a significant impact on your security.

[Looking For PServer 0]

Also we can use something like this

With libraries like Crypto++ it should be very easy to realize that. Here's an example.

[Isolation 53]

I've found a maybe better solution that's even easier to implement. First make sure you selected the account database:

use account;

 

Then you can run the following query to create your function. Make sure to replace the peppervariable with something of your own!

 

CREATE FUNCTION enc_pw(s CHAR(24)) RETURNS CHAR(50) DETERMINISTIC RETURN PASSWORD(CONCAT("thisisyourpeppervariable", s));

 

Then you won't have to add your pepper variable anywhere. Just use the enc_pw() function in your queries. For example:

SELECT enc_pw('testpassword');

 

This'll return the password you need.

 

Pros:

+ No need to store your pepper variable anywhere at your webserver etc.

+ Easy to use implementation

+ Easy changeable. You can for example add AES-encryption which is also supported by mysql to your function.

 

The function is persistent. It'll even be there after a reboot.

If you change something you'll first have to drop the old function:

DROP FUNCTION enc_pw;

 

Simple as that. In your source code you'll only have to edit input_auth.cpp to simply use enc_pw() instead of PASSWORD() for your query. You can also use the function at your webserver. So people who could've get access to your webserver won't be able to retreive your peppervariable. In addition: You can, as I stated, change the encryption completely. You can for example use SHA2(), AES or anything else that comes into your mind to even further encrypt it - twice if needed. Hackers won't know what encryption algorithm you're using. They'll be clueless unless they get to see the actual function. If you manage your permissions right and only allow your homepage user acces to the tables itself (You'll only need select, insert and update for some tables, NOT the actual database itself) people won't even be able to have insight to the function. You can test it. Log in as your homepage user, select the database account and run the following command:

SHOW CREATE FUNCTION enc_pw;

If it shows you the function routine, then you have permission to do so and you should lower the permission you give to your homepage account.

 

If used wisely it's a very secure procedure.

[Defacer35 21]

Thanks for the share, after five long years i think this is still good way.