Welcome to Gaia! :: View User's Journal | Gaia Journals



View User's Journal

Notes From Gaia
Random thoughts from inside Gaia
Passwords And You
I had mentioned in another thread that we don't store your password, so we can never surrender it -- but an obvious question is, how can this work?

How Do We Know Your Password If We Never Store It?
We never store your password in the database. Instead, what we do is run a cryptographic hashing function. Let me explain with a simple example; let's say that our one-way hashing function is just adding up the letters of the alphabet, where A=1, B=2, ... .

So you tell us that you want your password to be "CAT." The word CAT will convert to 3 + 1 + 20 = 24, so in the database we store:

name = yourusername, password_hash = 24

Now, notice that even if someone gets our database, they have no clue if your password is CAT or ACT or TCA or HHH or FFFF or DDDDDD or any of the combinations of letters that add up to 24.

What We Really Use
The function that we really use is not adding the letters in the password, but instead, a function called MD5, which hashes any string into a 16 byte value that is called a fingerprint. MD5 has a number of properties, one of which is that it is fairly resistance to tampering, and is not easy to forge. Given our simple hash function above where we just added the letters, it would be fairly easy to figure out a password that would map the value. However, with MD5, you pretty have to run through a bunch of different values, hoping that you hit the right value.

How Do You Handle Logins?
If you have Javascript enabled, you never even send your password to us: we actually compute the MD5 of your password on the client side, and that is the value that is sent to us. This gives us the advantage of secure logins without having to use HTTPS.

Layers Of Complication
"But wait," you ask, "if you just send an MD5 over, then I can just steal the MD5 and use that as the password."

Ah, not that easy. We use what is called a salt to make sure that the MD5 value for any particular password; it makes the "correct" MD5 for a particular login different every time. It works something like this:

- we know the MD5 of your password
- user tries to log into the site
- we assign a special password salt for the session -- call it "ABCDE"
- user types their name and password ("password" wink
- your browser computes the MD5 of the password ("5f4dcc3b5aa765d61d8327deb882cf99" wink
- your browser adds the salt to the MD5 ("5f4dcc3b5aa765d61d8327deb882cf99ABCDE" wink
- your browser computes the MD5 again ("9ad58c3f9e7b7ca796e8e25d555c15e9" wink
- that MD5 is passed to us
- we compare it versus what we know about the MD5 + the salt we passed before

So, this is how you can log in without us knowing your password.

Security of MD5
How secure is this? I mean, after all, I'm giving nitty gritty details here!

Pretty secure. Computing the MD5 for a value is computationally intense: you basically have to run through all of the values. (There have been some academic papers lately that point to some flaws in MD5, but these flaws are not applicable to this situation). In fact, we are so confident that this is secure that I will put my money where my mouth is. The following are the MD5s for a two login sessions of mine. If you are the first to find the original password, I will mail $100 to you anywhere in the world. If you are the first to find any 5 to 15 character password that maps to the MD5 values, I will mail $20 to you anywhere in the world. Free and legal money!

EDIT: Okay, just to be clear, this is now an old password. So don't worry about having your account banned for hacking. The cash offer still stands, though. biggrin

salt = "fgtt", MD5(MD5(password) + "fgtt") = c6cb9cb50e84724ce8f09301e62d8b0b
salt = "3p09q", MD5(MD5(password) + "3p09q") = dd502a9d41d5b2bb64990779ddbc060f

User Comments: [30] [add]
Community Member
commentCommented on: Wed Apr 23, 2008 @ 04:00am
I would so try and prove you wrong, but I would be banned, wouldn't I? rofl
EDIT: Oh wait, it would be stupid of me to try and log in as your account when I can do this locally x_x;;

Thanks for this update. I hope you're not revealing too much. You know, a lot of people couldn't figure out this basic information... Not like you have to worry about that type of person trying to find the password.

commentCommented on: Wed Apr 23, 2008 @ 04:10am
This has nothing to do with your post, but it is about the 'temporary' measure of censoring images.

It seems like the IMGMAP bbcode isn't blocking images like the other three image tags, so it's not really stopping spammers.

It might also help, if it's going to be this way for a while, to add some other trustworthy websites to the whitelist (i.e. *.tinypic.com and *.imageshack.us) TinyPic is a Photobucket-owned site and works much the same way.

If there was a large enough white list, it might be possible to check the remaining images server-side with php or something. Here's an example that I used once on a forum alongside a whitelist:

It returns FALSE for any images that aren't real or require authentication (password scam). It might not be the best solution, but it seemed to work well and be fast enough at the time.

Community Member
Community Member
commentCommented on: Wed Apr 23, 2008 @ 04:22am
@Chema: Thanks, we fixed the imgmap problem. We're considering proxying all images through us -- it helps with the password protected image problem, but not the spam/gore problem.

commentCommented on: Wed Apr 23, 2008 @ 05:09am
Thanks for the info <3 It's great to know. <3 <3 <3

Community Member
Community Member
commentCommented on: Wed Apr 23, 2008 @ 05:35am
I cracked it!
The password is:

Where's my $100?

commentCommented on: Wed Apr 23, 2008 @ 05:47am
Well, as long as you're considering proxy, you could always use getimagesize or something and block->link all images over X width/height. Of course, my guess would be that they would just use slightly smaller images then (which wouldn't be a total loss, just perhaps not necessarily a win if the time used isn't worth the gained benefit). :]

Community Member
Miles To Go
Community Member
commentCommented on: Wed Apr 23, 2008 @ 05:57am
Haha, I would love to try and crack that for fun but I don't think it would be possible without advanced calculus or a Rainbow Table. xd

commentCommented on: Wed Apr 23, 2008 @ 06:01am

Dude, thats hardcore O:

Community Member
Community Member
commentCommented on: Wed Apr 23, 2008 @ 07:08am
Cash incentives? Wow this inspires me to keep plugging away in pre-calculus! xd

commentCommented on: Wed Apr 23, 2008 @ 07:49am
Friggin sweet! So, we guess your Password, get paid for it, and then get banned for Hacking/compromising a Staff Account rofl You're priceless XD

Darien S.
Community Member
User 8628682
Community Member
commentCommented on: Wed Apr 23, 2008 @ 11:28am
Hi again Pama!

I left a comment in your last journal entry about not being able to see avis. It seems like upon calling their ISPs, some people have found a workaround. Which can be found in the thread that I linked you to yesterday. I'm still wondering whether the problem was Gaia's side or the ISP's side. It seems rather weird that it the problem hit mostly Filipino users in general and not just a specific ISP. Anyway, it's all good now and we're happy to have our avis back. biggrin


commentCommented on: Wed Apr 23, 2008 @ 08:30pm
Brave Warrior, you are doing such a great job! I was so impressed that you were up all night on the weekend fixing the profile problems. crying Thanks for your dedication to Gaia and to our safety. domokun

Chocobo Princess
Site Moderator
Cube B
Community Member
commentCommented on: Wed Apr 23, 2008 @ 09:48pm
On the subject of Image proxies...

A size limiter and an ignore function would solve many problems.

Also, I'd love to see easier use of a photobucket at Gaia feature, that allows me to upload stuff to Photobucket via widget on Gaia. Maybe even the ability to link my Photobucket account to my Gaia account! This would allow for cool functions like taking screenshots in Towns/Rallies/MMO/OMG/Etc.

commentCommented on: Thu Apr 24, 2008 @ 12:03am
I've been learning these sorts of things in ICT biggrin

just what they do though.

Community Member
Community Member
commentCommented on: Thu Apr 24, 2008 @ 02:18am
Oh the joys of Cryptographic Hashes! This stuff gets me so excited, you should know better than posting something like this when I should be working on my Databases project... ah, that's why I'm studying it though. Isn't MD5 wonderful? Good to hear you're using a salt, though, without it MD5 is rather easy to crack using rainbow tables.

What a game of cat and mouse! That's why I'm not specializing in it... AI and Machine learning are much more interesting, in my honest opinion. Also, I feel you oversimplified the subject of salts, perhaps too much, though I suppose in the interest of the general audience I'll let it slide. razz heart

Oh, and if anyone does manage to crack this, I should think that there's much more at stake than 100 dollars from Panagrammic. The Computer Science community would probably like you to publish a paper and shower you with money.

And then kill you. sweatdrop

commentCommented on: Thu Apr 24, 2008 @ 04:34am
I want monies ;_; Of course it would probably just roll back around to Gaia anyway. rofl If only I understood what the heck you were on about. o: Oh well

Ginger Flare
Community Member
Cid High-Wind
Community Member
commentCommented on: Thu Apr 24, 2008 @ 04:52am
I'm not even going to try. xd

Though $100 is a pretty good incentive.

commentCommented on: Thu Apr 24, 2008 @ 05:45am
Geek talk is so hawt.

Community Member
France Hopper
Community Member
commentCommented on: Thu Apr 24, 2008 @ 12:03pm

As much as I do like trying to crack passwords I'm not even going to try an MD5. I've seen some pretty nasty hashes already.

commentCommented on: Thu Apr 24, 2008 @ 04:20pm

Nah! Panagrammic didn't say when the due date for this moneys was. I got a process running in the background, doing some MD5 calculations. Searching through every single string possible until we find one.

I can wait a few years for $100. rofl
Brute Force ftw!

Community Member
Community Member
commentCommented on: Thu Apr 24, 2008 @ 11:03pm
I hope no one actually wastes his or her time with this; it can't be done on a home computer. You have to have an array of CPUs all working on it.

commentCommented on: Fri Apr 25, 2008 @ 10:37am
Dear developer,
I had a few ideas on this kind of protection on passwords, but there is a few minor problems with the ideas and i was wondering if you could at least look at the ideas.
~~The ideas~~

I know they might have already been suggested and i give who ever suggested in the first place and before me credit.
If you can at least look these over it would make me happy X3.

Rasuki suki

Community Member
Community Member
commentCommented on: Fri Apr 25, 2008 @ 03:07pm
Pritchard, if he uses a non-dictionary password with special characters, you're screwed, man. By the time you get it, 100 US dollars won't be enough to buy a stick of gum. xd INFLATION YAY?

commentCommented on: Fri Apr 25, 2008 @ 06:14pm
Hmmm . . .something's going on with the siggys in your journal today . . . or are ya turning 'em back into a "read my journal" click-back through for a reason, when I tried to edit my postie?

I saw I was missing the last ']' in the color code after my post came up, but at that time, my siggy was ok - two hatching aquatic images - but after the edit, everyone's siggys were the "read my journal" click-through.

I backed up a few pages, and the original post of mine was gone. The other sigs were still the journal click-through, bringing me back to your journal.

**Granny-Hugs** for all your "work".
Attaching Signature and learning how to spell by entering both words below . . . 3nodding . . . no preview.

I LOVE GAIA. You can't make me.

Community Member
Community Member
commentCommented on: Sat Apr 26, 2008 @ 03:26am
User Image
[♦] [♥] [♦]
▬ ▬ ▬ ▬ ▬

This does sound interesting even though it's abit over my head.It makes me wonder how I manage to squeak by with a B in Pre-Calculus and Algebra III xd .

@AlexDitto-Even though Pana oversimplified it,he made it abit more understandable for us tech inept folk xd .I'm better versed at sociology and the like.

For the record,I'm not even going to attempt cracking that code rofl .$100 or not,it's not,seems to much of a pain to try.

▬ ▬ ▬ ▬ ▬
[♥] [♦] [♥]
User Image

commentCommented on: Tue Apr 29, 2008 @ 01:10am
O o

Community Member
Artimus The Renowned
Community Member
commentCommented on: Tue Jun 03, 2008 @ 09:28am
Wow. I am really glad to have been able to take part in this entry.
I feel much safer having read that.

Although now, I feel quite outdated and dare I say.. Old.

I would NOT want to trade jobs with you coding guys, No Way

User Comments: [30] [add]
Manage Your Items
Other Stuff
Get GCash
Get Items
More Items
Where Everyone Hangs Out
Other Community Areas
Virtual Spaces
Fun Stuff
Gaia's Games
Play with GCash
Play with Platinum

Customize your own avatar now!

Join Now

Have an account? Login Now!