1. Forum
  2. FidoNet
  3. Mystic Support

  • Password Salt

    From Andy Gorman@1:229/426.52 to All on Wed Apr 28 18:33:21 2021
    As mentioned before, I'm working on an API that will read certain aspects of the data for a client of mine and all I have left to do is to synch up the password hashes. Does anyone know what salt was used to create the hashes? That way I can do an active comparison of passwords and not use unecrypted storage.

    Thanks
    --- Mystic BBS v1.12 A47 2021/04/20 (Windows/32)
    * Origin: The Pot O'Gold - bbs.thepotogold.net:4888 (1:229/426.52)
  • From g00r00@1:129/215 to Andy Gorman on Thu Apr 29 11:20:28 2021
    As mentioned before, I'm working on an API that will read certain
    aspects of the data for a client of mine and all I have left to do is
    to synch up the password hashes. Does anyone know what salt was used
    to create the hashes? That way I can do an active comparison of
    passwords and not use unecrypted storage.

    The intention of authentication from external sources was to force people to call Mystic either via a series of REST API calls (one to establish a preliminary session and token ID, and another to authenticate a password), or by running Mystic with the -AUTH command line (which will spit out TRUE/FALSE to STDIO).

    To answer your question though the passwords are a 512-bit PBKDF2 with variable iterations and a randomized salt. I try not to talk about specifics too much publically because in addition to the PBKDF2 there is also an element of security through obscurity too.

    I go back and forth as to whether or not I should document how to handle the hashes directly for something like what you want to do. But I would certainly hate for that to be the cause for someone to enable cleartext passwords (which is a feature I have considered removing as well).

    Would the STDIO or REST API work for you as an alternative or is what you are doing designed to work directly with data files only?

    --- Mystic BBS v1.12 A47 2021/04/28 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From Andy Gorman@1:229/426.52 to g00r00 on Thu Apr 29 21:41:40 2021
    On 29 Apr 2021, g00r00 said the following...
    I go back and forth as to whether or not I should document how to handle the hashes directly for something like what you want to do. But I would certainly hate for that to be the cause for someone to enable cleartext passwords (which is a feature I have considered removing as well).

    I don't blame you because someone can probably do some damage to a system. I turned on clear/case sensitive passwords temporarily to make sure I was reading the file right. Again, not the best practice in anyway. I think removing it is a good idea, personally.

    Would the STDIO or REST API work for you as an alternative or is what
    you are doing designed to work directly with data files only?


    I'm going to try to capture the STDIO and see if I can get that to work. If there was a REST API, then that would be even better. Thanks for all your support!

    Andy, aka The Leprechaun
    --- Mystic BBS v1.12 A47 2021/04/20 (Windows/32)
    * Origin: The Pot O'Gold - bbs.thepotogold.net:4888 (1:229/426.52)
  • From g00r00@1:129/215 to Andy Gorman on Sun May 2 15:11:28 2021
    I'm going to try to capture the STDIO and see if I can get that to work.
    If the re was a REST API, then that would be even better. Thanks for
    all your support!

    Ok let me know how that works out we can also look into the REST API side too if you have patience to wait/test it lol.

    The -auth is the only thing working now because I have waited for someone to actually need these features to build them out. So far there has only been one person who wanted the -auth function so I built that for them. I think I also have an undocumented variation of the -auth command that accepts a SHA512 hash too if you want to avoid passing cleartext command lines.

    I did carve out a /mysapi/ endpoint on the webserver for the REST side but there isn't a command to validate a password (yet).

    --- Mystic BBS v1.12 A47 2021/05/02 (Windows/64)
    * Origin: Sector 7 | Mystic WHQ (1:129/215)
  • From Andy Gorman@1:229/426.52 to g00r00 on Sun May 2 15:06:21 2021
    On 02 May 2021, g00r00 said the following...

    Ok let me know how that works out we can also look into the REST API
    side too if you have patience to wait/test it lol.

    It works pretty well so far. If anyone wants to see it in action, create an account on my BBS (bbs.thepotogold.net:4888) and then go here: https://api.thepotogold.net/UserCheck?u=<your username>&pw=<your password> It will return true if you entered the right info and false if you didn't.

    As for testing your version, I'd more than happy to test it out with you.

    for them. I think I also have an undocumented variation of the -auth command that accepts a SHA512 hash too if you want to avoid passing cleartext command lines.

    I'm only passing unecrypted values between the API and the bbs (both on the same system), so I'm not as worried about clear text. The API is using SSL, so it's encrypted right from the user's browser that may be using it.

    I did carve out a /mysapi/ endpoint on the webserver for the REST side
    but there isn't a command to validate a password (yet).

    Interesting. Is that there now or is it in development?

    Andy
    --- Mystic BBS v1.12 A47 2021/04/20 (Windows/32)
    * Origin: The Pot O'Gold - bbs.thepotogold.net:4888 (1:229/426.52)