1. Forum
  2. FidoNET
  3. SYNCHRONET

  • Question on User Data

    From Feserenity@1:103/705 to Digital Man on Wednesday, February 18, 2026 00:12:55
    Re: Question on User Data
    By: Digital Man to Feserenity on Tue Feb 17 2026 07:45 pm

    No, there's no mechanism for hashing or encrypting the passwords in the Synchronet userbase (today, that's data/user/user.tab). A one-way hash would be particularly tricky because Synchronet supports a bunch
    of
    digest-based authentication methods that all require different hashes of the password along with challenge/nonce/sale (so you need the original password to compute those).

    We could encrypt the passwords on disk (reversable to plaintext again, for the above stated reasons), but then you need to have/store a key to decrypt them somewhere and how is that any more secure than the
    user.tab file? It's a can of worms that hasn't be worth dumping out and sorting through.

    Thanks! Yeah that would make it tricky if supporting other Auth mechanisms that need to have their client-given hash + salt match the server-side password post hashing + salting. Hmmmm.... Yeah in that case is definitely a can of worms. And for sure encrypting them at rest is a nice idea but then if you have to decrypt them per login operation then the information is floating around on the server anyways to revert them back to plaintext.

    Will go with the human-side solution for now and encourage folks to not use a password they don't want me to potentially see.

    Thanks again!
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From MRO@1:103/705 to Digital Man on Wednesday, February 18, 2026 02:37:22
    Re: Question on User Data
    By: Digital Man to Feserenity on Tue Feb 17 2026 07:45 pm

    have/store a key to decrypt them somewhere and how is that any more
    secure than the user.tab file? It's a can of worms that hasn't
    be worth dumping out and sorting through.



    it was fun when i could go on anybody's bbs and print their password and system password if they were using a baja module that allowed text input.

    pistolgrip pretty much shit his pants and reversed his stance on not doing anything until you made an update.


    --
    "Before using Wildcat....This Company did not have a convenient way of
    looking after some of the richest clients in the world...Now we do!"
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)