Cool VL Viewer forum

View unanswered posts | View active topics It is currently 2024-03-28 21:18:17



Reply to topic  [ 9 posts ] 
password length? 
Author Message

Joined: 2021-04-13 05:25:02
Posts: 4
Reply with quote
Hello, I am quite stumped - as part of protecting my SL account I tend to change my password from time to time, previously I had 16 characters password, now I have 21 character password and cannot login using CoolVL. Other viewers and web (marketplace, account page) log me in without a hitch so I suppose there is either some password mangling going on in other viewers and linden websites or in CoolVL. Is there any way around without the need to shorten my password?


2021-06-21 10:20:30
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
The SL password gets hashed via MD5 before being transmitted to the login server; the length of this hash is always 32 bytes (*). This hash is also saved locally (on your hard drive, in the saved settings and in user_settings/saved_grids_login.xml) after having been ciphered (using an unique machine ID depending on your computer) and encoded in base64 format.

The only enforced limit to the password length in the Cool VL Viewer is 64 UTF-8 characters (in the login screen password input line) and if you are using non-ASCII characters, these will count for two or more bytes.

EDIT: I just tried to setup a new account to perform password tests. The SL website now only seems to accept 16 characters maximum for the password when creating a new account (additional typed characters are simply not accepted in the input field: you can easily see that by disclosing the password field, but this is also clearly written on the form)... And after creating a new account with a 16 characters password, I could not change the latter either for a longer password. See by yourself:
Attachment:
password-form.png
password-form.png [ 6.75 KiB | Viewed 1807 times ]


My bet is that only the 16 first characters of your 21 characters password have been taken into account by the website and other viewers, while the Cool VL Viewer did take into account the 21 characters and hashed them (of course resulting in a different hash).

Try inputting only the first 16 characters of you password in the Cool VL Viewer, and see if it works...



(*) Whichever the password length, i.e. the latter does not really matter for the login password itself, excepted against brute force attacks to find the hash, but even in such a case, 16 random ASCII characters (with 7 bits of entropy each) for a password puts you out of practical reach of such attacks.


2021-06-21 11:10:03
Profile WWW

Joined: 2021-04-13 05:25:02
Posts: 4
Reply with quote
Sorry for getting to you late - yes, verified just now, first 16 chars get me logged in, never realized that limit is password length, because LL's site actually let me change my password well beyond the limit. Seems like other viewers and web truncates password to 16 chars and I will try to raise a request on LL to allow longer password, because I believe I am not only one using "pass phrase" instead of plain password and such constraints can limit actual security of password/pass-phrase.
Thank you for assistance... :)


2021-06-23 05:56:29
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
If you are mindful about password security, then using a password generator which will itself hash a unique and secret password (never used/submitted anywhere else than in the generator), after combining it with each site domain name (and possibly an additional secret phrase if the generator allows it) is the best approach: such generated passwords are impossible to guess (e.g. via dictionary attacks), and require brute force attacks that are impossible to achieve in practice (too much time needed and/or too few retry attempts allowed), while you only have to remember a unique password for all sites.

For my browser (Pale Moon), I use a self-modified (*) version of the "Password Hasher" extension, which works entirely locally (nothing submitted to a third party site: I do not trust any password generator using an online database): good luck guessing any of my passwords ! :lol:


(*) I added to the original Password Hasher a secret pass phrase configuration which is kept in the browser settings, and appended to the site domain name before hashing is done with the master password. This allows to secure the master password against (semi) clear-text attacks, should the hashed password be recovered by a pirate (e.g. when they recover a badly secured website's password database and that database is itself not enciphered); knowing the password generator algorithm, the site domain name and the final hashed password would otherwise allow to use a brute force attack to find your master (secret) password...


2021-06-23 08:55:09
Profile WWW

Joined: 2011-10-07 10:39:20
Posts: 181
Reply with quote
The whole password thing is kind of obsolete, but the alternatives are not really good yet.

I actually wonder if it would be useful to store the password in the systems default keyring instead of the self made password storage systems used by the current viewer? Linux, Windows and OS X all provide better encrypted password storage options these days.

Would you accept patches to add keyring support for stored passwords to the viewer?

e.g. gnome keyring or similar stuff on Windows (like DPAPI-NG https://docs.microsoft.com/en-us/window ... /cng-dpapi or the credentials locker apis)?
OS X has something like it too, but i do not have a recent enough mac to try it.

Kathrine


2021-06-23 15:23:42
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
kathrine wrote:
I actually wonder if it would be useful to store the password in the systems default keyring instead of the self made password storage systems used by the current viewer?
The issue is not about securing how your hashed password is kept on your own hard drive/SSD, but about the strength of the non-hashed password...

Quote:
Linux, Windows and OS X all provide better encrypted password storage options these days.
I won't trust Microsoft or Apple, and AFAIK these are just session storage (i.e. non-persistent over OS sessions)... It's at least the case under Linux. I know many people now do not shut down their PC any more (which is a cruel mistake), but for people like me, it would be of no use at all.

If you want to secure your locally stored password hash (and all your private data, including browser cookies, emails and the like), simply use an encrypted disk partition for your computer account, like I do.

Quote:
Would you accept patches to add keyring support for stored passwords to the viewer?
No, thank you. Plus, LL is examining two factor authentication (which will be quite an impairment to log in for people like me, without a portable phone; let's hope they will implement email-based second factor), so working yourself on this front would be a total loss of time.


2021-06-23 20:40:37
Profile WWW

Joined: 2016-06-02 09:35:09
Posts: 3
Reply with quote
Hello Henri,

thanks for the reactivating.

I've spotted a little glitch in the UI after making a hard and long SL-Password (24 chars)
The panel_login.xml cuts the password field at 17 characters, so for me no login is possible.
neither with a fresh copy of the newest release nor older already used versions
It happens on Windows and Linux builds.

Login with command line parameters also do not work for me
because I still havnt found a way to escape/pass special characters (brackets) to eval check
./cool_vl_viewer: eval: Line 235: `$LL_WRAPPER $VIEWER_BINARY --grid AGNI --login Dianna Loxely very(very)secret

Best Regards,
Dianna Loxely


2021-07-05 06:15:38
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
This is not the Cool VL Viewer's fault. SL passwords are now limited to 16 characters (while the Cool VL Viewer accepts 64 characters). See this thread for details. EDIT: I merged the two topics since they deal with the same issue.


2021-07-05 07:08:42
Profile WWW

Joined: 2016-06-02 09:35:09
Posts: 3
Reply with quote
refering to viewtopic.php?f=6&t=2194

Very interesting information!

Login with the first 16 chars of the 24 Byte PW was working.
SL-Website and Marketplace behave same way - login with the shortened PW works (just tried a few minutes ago).


2021-07-06 21:31:56
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 9 posts ] 

Who is online

Users browsing this forum: No registered users and 22 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.