Thread: [Fremantle Maemo5] Share your code
View Single Post
Posts: 391 | Thanked: 908 times | Joined on Aug 2011 @ suncity
#21
Originally Posted by juiceme View Post
So it hashes the password and saves the hash to a file.
Does the authentication phase then compare a hashed input password against the hash in the file?

What prevents a malicious user to create a hash for a password, replace the hash in file and log in with the new password?
Yes, it saves the hash;
yes, it compares the inputted text/password as hash to the stored hashed password.

I was thinking about protecting the password file itself somehow but not yet implemented any solution for that.
But... even if a malicious user would create a new password even password protection can be removed by hand so the original user/owner can access to the database (frankly saying, even the database should be secured; maybe I shall try that too but need some learning on how to secure sqlite3 databases. MySQL does that 'out of the box' but that would be a big dependency to be installed...)... It is not a super-secure system yet but I'm not an expert on this field but trying to find solutions for these problems/ideas... So thanks for the suggestion I will try to implement your observations!

jm

EDIT:// I did some experiment just out of couriousity:
- manually modifiying the password file will result that password always will be incorrect, even if the correct text/letter would be typed back;
- if I do the following from shell:
Code:
echo 'new_password_as_hashed_text' > password
then the password will be incorrect even if the correct text is typed at authentication;
- if a new password is set from under python on the device itself (or maybe generated in python on an other system and copied to the appropriate location) then it will work.

Last edited by justmemory; 2017-04-07 at 09:06.
 

The Following User Says Thank You to justmemory For This Useful Post: