Subj : src/sbbs3/useredit.cpp To : deon From : Digital Man Date : Mon Feb 27 2023 10:55:06 Re: src/sbbs3/useredit.cpp By: deon to Digital Man on Mon Feb 27 2023 08:08 pm > Re: src/sbbs3/useredit.cpp > By: Digital Man to deon on Sun Feb 26 2023 09:32 pm > > > > > in memory as some point during the authentiation process(es). So > > > > we'd have to have a way to decrypt an encrypted password (i.e. > > > > stored in user.tab file). Which means you'd have to have a private > > > > key stored somewhere. Is that private key store secure? If it's > > > > just a file in the sbbs directory tree, its no more secure than the > > > > user.tab file. You see where this is going? > > > > Why is it needed to decrypt it? > > > I'm not sure I understand your question. Why is a key needed to decrypt a > > password? Because that's how reversable encryption works. > > So you said "We'd have to have a way to decrypt an encrypted password". > > My question, is why do you need to decrypt it? To perform secure hash based authentication (e.g. CRAM-MD5), you either need the original password, in plain text, or you need a pre-hashed (unsalted) password using the same crypto-hash scheme as that method of authentication. Since we support multiple methods of secure authentication using very different crypto algorithms/secure-hashes, we need the original password in plain text. That means if the password were stored encrypted, we'd have to be able decrypt it (on the fly). > This message is in the context that somebody asked if you had plans to > encrypt user's passwords. I understand. -- digital man (rob) Synchronet/BBS Terminology Definition #40: HTTPS = Secure HTTP (authenticated and encrypted HTTP over TLS) Norco, CA WX: 50.3øF, 70.0% humidity, 0 mph NNE wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705) .