Comparing of password hashes.

[Lejo]

Are two passoword hashes from different servers allways the same???
Or only for the same server?

Thanks!

[rubenwardy]

Minetest doesn't use password hashes. The thing that is stored will be different for different servers, afaik

See this for more info: Secure Remote Password

[Lejo]

So minetest.auth_table[name].password is on different servers with the same password another value?

[Lejo]

Here is just a == used.
Can I do the same in lua?

Just say two clients with the same password and the same name on different servers.
minetest.auth_table[name].password == minetest.auth_table[name].password
^ Server One ^ Server Two

Will this be true?

Thanks!

[LMD]

I guess that depends on whether the server admins changed their hash functions...

[TalkLounge]

Just say two clients with the same password and the same name on different servers.
minetest.auth_table[name].password == minetest.auth_table[name].password
^ Server One ^ Server Two

Will this be true?

No, see here.

Code: Select all

minetest.register_on_joinplayer(function(player)
      if not io.open(minetest.get_worldpath() .."/hash.txt", "r") then
         local file = io.open(minetest.get_worldpath() .."/hash.txt", "w")
         file:write(minetest.auth_table[player:get_player_name()].password)
         file:close()
      else
         local file = io.open(minetest.get_worldpath() .."/hash.txt", "r")
         local hash = file:read("*a")
         file:close()
         if minetest.auth_table[player:get_player_name()].password ~= hash then
            minetest.chat_send_all("Ungleich")
         else
            minetest.chat_send_all("Gleich")
         end
      end
end)

[LMD]

Okay, most likely it hashes the password with time or so... I guess we have to modify builtin to get our stuff working.

[LMD]

oh no sorry for me it is exactly different


EDIT : Seems i didnt follow the instructions...

[rubenwardy]

The verifier (hash equiv) will be different on different servers or accounts

The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same

[LMD]

salt means nothing more than that white crystals to me, sorry, but Im not a core dev -> please explain for a minor.

[Lejo]

Is it possible to Switch from SRP mechanism to Legacy_Password, which is only hashed?

[LMD]

ask rubenwardy or Krock or other core devs... IRC is a good place maybe... Ill try...

[Hybrid Dog]

The verifier (hash equiv) will be different on different servers or accounts

The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same

If I understand this correctly, you can simply join the server with a modified client, it saves the salt and constants somewhere. Then you can create your own server with these salt and consts values and make players from that server join yours. Since they likely use their usual password, you can use their sent hash values to join with their account on the server where you got the salt and consts.

[hajo]

salt means nothing more than that white crystals to me .. please explain

see wikipedia: Salt_(cryptography)

[Byakuren]

The verifier (hash equiv) will be different on different servers or accounts

The protocol works by the client proving that they know the password without actually sending. The server sends some stuff it stored - the salt and some constants - and the client calculates a verifier using this and sends it back. If the master password was coded for that particular account using the same constants, you could have an or to allow either password. But you'd need to encode the master password with the same salt and consts to check it. As for multiple servers, you'd need to have the same salt and consts for the verifier to be the same

If I understand this correctly, you can simply join the server with a modified client, it saves the salt and constants somewhere. Then you can create your own server with these salt and consts values and make players from that server join yours. Since they likely use their usual password, you can use their sent hash values to join with their account on the server where you got the salt and consts.

No, because some of the values used during login are selected randomly each time, so the thing the client has to send is always different (with high probability).

[Lejo]

Does this mean that the saved password also includes the salt?

[wemopoj361]

Yes, the password stored in the auth file includes the salt that was used to generate the verifier.

This is from the docs.
Format (since 0.4.13) of password hash is #1#<salt>#<verifier>, with the
parts inside <> encoded in the base64 encoding.
<verifier> is an RFC 2945 compatible SRP verifier,
of the given salt, password, and the player's name lowercased,
using the 2048-bit group specified in RFC 5054 and the SHA-256 hash function.

Below is an example of a password stored in the "auth.sqlite".

#1#TEPS7t/sDQIfjXITPnD1qg#EnjDAc6YJsmxo1Js8PVZ7Tx9JajIiXN1xHkfmMLui5QvHJnUxzlgzNmqSqr0oyJTvc2zMKeftD8tECzoeTmxg8WCKrcINzNLgtelAPBAsvJAcMOYyxZbAAxggb5R2CyzcyNQ9YATuxbEIEZLtXF6y/UNN9uFOUErvoGvih3v4aSYHj/Qf5SSWPHnx8OhZTkIB/p8k+GXIDwoHxutQKpg7Oia3DqvSxNWTobMmT+fPGceYuA+ffNw/lf8tboaSSELpV18FzEAl2esXZL5oHnAEHVzTmqUeerwzmB8vogxAjUVxzwUxBs6JxQwcy3RNaYoFBD5JywTHN9f12qogF4hZA

[wemopoj361]

If you want to check the password against another password with python3, this should help: https://github.com/konsoleSam/MinetestAuthVerifier

[sorcerykid]

Afaik if the server admin uses the /setpassword command, then Minetest does use a cryptographic hashing algorithm based only on username + password pair (I think it stores SHA256 as Base64) in which case the same hash could appear on multiple servers.