Bitcoin Forum

Other => Meta => Topic started by: theymos on July 10, 2012, 10:09:50 PM



Title: Forum will be down in an hour
Post by: theymos on July 10, 2012, 10:09:50 PM
In an hour from this post, I will disable posting for most members, backup the forum database, and apply error's patch to SMF which upgrades the password hashing algorithm. This will probably take 30-60 minutes, or longer if something goes wrong. Don't write any long messages close to this time or you might lose your message.


Title: Re: Forum will be down in an hour
Post by: Gladamas on July 10, 2012, 10:13:06 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?


Title: Re: Forum will be down in an hour
Post by: Luceo on July 10, 2012, 10:13:56 PM
Good news. Greater security is worth a little downtime. ^^


Title: Re: Forum will be down in an hour
Post by: theymos on July 10, 2012, 10:16:31 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?

The default algorithm is SHA-1 salted with the lowercase username. The new algorithm is 7500 rounds of SHA-256 salted with 12 bytes of random data.

Your password will be automatically upgraded to the new algorithm next time you login. I will log everyone out so that a lot of passwords are upgraded right away.


Title: Re: Forum will be down in an hour
Post by: Tachikoma on July 10, 2012, 10:22:17 PM
Great, thanks for the password upgrade :)


Title: Re: Forum will be down in an hour
Post by: pekv2 on July 10, 2012, 10:23:08 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?

The default algorithm is SHA-1 salted with the lowercase username. The new algorithm is 7500 rounds of SHA-256 salted with 12 bytes of random data.

Your password will be automatically upgraded to the new algorithm next time you login. I will log everyone out so that a lot of passwords are upgraded right away.

Theymos, I salute you and the others that I don't know that are helping you for making the forum more tightly secure.

Great news to hear. When possible, I will donate, I've been wanting to so badly but cannot atm for a few months, it won't be small either.


Title: Re: Forum will be down in an hour
Post by: myrkul on July 10, 2012, 10:30:49 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?

The default algorithm is SHA-1 salted with the lowercase username. The new algorithm is 7500 rounds of SHA-256 salted with 12 bytes of random data.

Jesus.... that's better security than my bank.

Will that result in a noticeable delay in logging in?


Title: Re: Forum will be down in an hour
Post by: Gladamas on July 10, 2012, 10:37:58 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?

The default algorithm is SHA-1 salted with the lowercase username. The new algorithm is 7500 rounds of SHA-256 salted with 12 bytes of random data.

Jesus.... that's better security than my bank.

Will that result in a noticeable delay in logging in?

Well, let's say the server that Bitcointalk is hosted on could get 3 Mh/s mining on its CPU(s). One Bitcoin mining hash is 2 rounds of SHA-256, so 3,000,000/(7500/2) = 800 logins/second.


Title: Re: Forum will be down in an hour
Post by: myrkul on July 10, 2012, 10:40:48 PM
Great! Just curious, what hashing algorithm are you switching from/to? And will this require a password reset?

The default algorithm is SHA-1 salted with the lowercase username. The new algorithm is 7500 rounds of SHA-256 salted with 12 bytes of random data.

Jesus.... that's better security than my bank.

Will that result in a noticeable delay in logging in?

Well, let's say the server that Bitcointalk is hosted on could get 3 Mh/s mining on its CPU(s). One Bitcoin mining hash is 2 rounds of SHA-256, so 3,000,000/(7500/2) = 800 logins/second.

So.... No, huh? ;)


Title: Re: Forum will be down in an hour
Post by: BrightAnarchist on July 10, 2012, 10:42:47 PM
Very nice! I'm going to have to upgrade my password of course.


Title: Re: Forum will be down in an hour
Post by: theymos on July 10, 2012, 10:44:41 PM
Will that result in a noticeable delay in logging in?

No. It's pretty fast.


Title: Re: Forum will be down in an hour
Post by: pekv2 on July 10, 2012, 10:55:51 PM
Very nice! I'm going to have to upgrade my password of course.

Diddo. I was thinking the same as a precaution. I don't believe it is a "have to" as theymos said it will be upgraded.


Title: Re: Forum will be down in an hour
Post by: pekv2 on July 10, 2012, 10:56:27 PM
Will that result in a noticeable delay in logging in?

No. It's pretty fast.

What processor is being used if you don't mind me asking?

I'd love to see a photo of the system but I doubt that will happen.


Title: Re: Forum will be down in an hour
Post by: theymos on July 10, 2012, 11:03:33 PM
What processor is being used if you don't mind me asking?

/proc/cpuinfo says "Intel(R) Core(TM)2 Duo CPU     T7700  @ 2.40GHz". This might be virtual, though.


Title: Re: Forum will be down in an hour
Post by: myrkul on July 10, 2012, 11:07:01 PM
Hey, wait! I'm not ready ye-



;)


Title: Re: Forum will be down in an hour
Post by: unclemantis on July 10, 2012, 11:08:44 PM
Fire away!


Title: Re: Forum will be down in an hour
Post by: error on July 10, 2012, 11:30:28 PM
If it breaks, you get to keep both pieces.

Just kidding. :)


Title: Re: Forum will be down in an hour
Post by: gweedo on July 10, 2012, 11:36:33 PM
sounds good to me! Just wondering why no bcrypt?


Title: Re: Forum will be down in an hour
Post by: error on July 11, 2012, 12:35:01 AM
Don't ask me. I was specifically advised not to say anything about the choice of algorithm. :)


Title: Re: Forum will be down in an hour
Post by: theymos on July 11, 2012, 12:38:26 AM
OK, it's done. Tell me if there are any problems.


Title: Re: Forum will be down in an hour
Post by: rjk on July 11, 2012, 12:40:21 AM
OK, it's done. Tell me if there are any problems.
Just a half-second blip while LastPass logged me in again, and all is well!


Title: Re: Forum will be down in an hour
Post by: error on July 11, 2012, 12:41:25 AM
I got logged out twice, once when the forum came back up, and again just a moment ago, but aside from that all seems well.


Title: Re: Forum will be down in an hour
Post by: opticbit on July 11, 2012, 12:42:00 AM
Its back, login was quick


Title: Re: Forum will be down in an hour
Post by: Vod on July 11, 2012, 12:57:06 AM
OK, it's done. Tell me if there are any problems.

Hmmm, based on the delay logging in, I think my password was hashed with 7550 rounds of SHA-256 and salted with 18 bytes of random data.   :(


Title: Re: Forum will be down in an hour
Post by: myrkul on July 11, 2012, 01:03:27 AM
OK, it's done. Tell me if there are any problems.

Hmmm, based on the delay logging in, I think my password was hashed with 7550 rounds of SHA-256 and salted with 18 bytes of random data.   :(

I detected no such delay. :p


Title: Re: Forum will be down in an hour
Post by: error on July 11, 2012, 01:05:28 AM
OK, it's done. Tell me if there are any problems.

Hmmm, based on the delay logging in, I think my password was hashed with 7550 rounds of SHA-256 and salted with 18 bytes of random data.   :(

Naa, your tubes were just clogged up.


Title: Re: Forum will be down in an hour
Post by: payb.tc on July 11, 2012, 01:11:00 AM
everything seems to be back, except my avatar URL is still in maintenance mode.
nm, just had to do a hard refresh on that specific URL.


Title: Re: Forum will be down in an hour
Post by: Gladamas on July 11, 2012, 01:35:28 AM
everything seems to be back, except my avatar URL is still in maintenance mode.
nm, just had to do a hard refresh on that specific URL.


Same here, and how do you do that?


Title: Re: Forum will be down in an hour
Post by: pekv2 on July 11, 2012, 01:50:34 AM
No delay here for logging in for me, it was very fast, faster than a blink of an eye < exaggerating, but pretty much close. Boom, logged in.


Title: Re: Forum will be down in an hour
Post by: theymos on July 11, 2012, 02:10:58 AM
sounds good to me! Just wondering why no bcrypt?

bcrypt is no more difficult to brute-force than SHA-256 is with an appropriate number of rounds. But SHA-256, unlike Blowfish, is recommended by NIST and other standards organizations for password hashing, and it was specifically designed for one-way hashing.

I also have an aversion to any overly-hyped technology.


Title: Re: Forum will be down in an hour
Post by: payb.tc on July 11, 2012, 02:20:45 AM
everything seems to be back, except my avatar URL is still in maintenance mode.
nm, just had to do a hard refresh on that specific URL.


Same here, and how do you do that?

right-click on your broken image where the avatar should be and choose "Open image in a new tab/window".
go to that new tab/window and hold down shift while you click refresh.
go back to the forum page and hit refresh.

these instructions work in windows on chrome.

by the way, for comparison, the bitcoinmax login is hashed around 80,000 times with sha-256 and even that 'overkilll' doesn't produce a noticeable delay when logging in.


Title: Re: Forum will be down in an hour
Post by: Gladamas on July 11, 2012, 02:35:43 AM
everything seems to be back, except my avatar URL is still in maintenance mode.
nm, just had to do a hard refresh on that specific URL.


Same here, and how do you do that?

right-click on your broken image where the avatar should be and choose "Open image in a new tab/window".
go to that new tab/window and hold down shift while you click refresh.
go back to the forum page and hit refresh.

these instructions work in windows on chrome.

Thank you!


Title: Re: Forum will be down in an hour
Post by: Maged on July 11, 2012, 07:35:56 AM
I will, personally, be keeping the backup theymos made for a week, and I don't know how long theymos plans on keeping his copy, so if you have any problems at all, let us know before then.


Title: Re: Forum will be down in an hour
Post by: Raoul Duke on July 11, 2012, 08:04:45 AM
everything seems to be back, except my avatar URL is still in maintenance mode.
nm, just had to do a hard refresh on that specific URL.


Same here, and how do you do that?

right-click on your broken image where the avatar should be and choose "Open image in a new tab/window".
go to that new tab/window and hold down shift while you click refresh.
go back to the forum page and hit refresh.

these instructions work in windows on chrome.

CTRL+F5 also works ;)


Title: Re: Forum will be down in an hour
Post by: caveden on July 11, 2012, 08:17:03 AM
OK, it's done. Tell me if there are any problems.

I had to clear my browser's (Chrome) cookies in order to log in back again. Was it to be expected?


Title: Re: Forum will be down in an hour
Post by: Raoul Duke on July 11, 2012, 08:25:03 AM
OK, it's done. Tell me if there are any problems.

I had to clear my browser's (Chrome) cookies in order to log in back again. Was it to be expected?

Didn't happen to me on Firefox, so I would say no.
Probably a browser quirk only. It happens sometimes.


Title: Re: Forum will be down in an hour
Post by: Serenata on July 11, 2012, 12:14:12 PM
Didn't notice any delay logging in or any other issues whatsoever.

Keep up the great work!


Title: Re: Forum will be down in an hour
Post by: error on July 12, 2012, 01:20:51 AM
OK, it's done. Tell me if there are any problems.

I had to clear my browser's (Chrome) cookies in order to log in back again. Was it to be expected?

A few people may need to clear their cookies to login again after the changes. The cookie name was changed, among other things.


Title: Re: Forum will be down in an hour
Post by: Raize on July 12, 2012, 02:03:55 AM
I think there needs to be a new Internet law. It goes like this:
As talk about one-way hashes and seeding continues, the probability that someone will mention bcrypt approaches 1.

No offense to gweedo, of course. :P


Title: Re: Forum will be down in an hour
Post by: Raize on July 12, 2012, 04:05:42 AM
Nothing is necessarily wrong with it. It's just always mentioned in every thread dealing with hashes and seeding.

This probably has to do with it:
http://codahale.com/how-to-safely-store-a-password/

There's really nothing wrong with scrypt or PBKDF2, either, they all intend to solve the same problem.