Pushpool can checked Hashpasswords?

[Xenland]

I think I saw somebody propose this not too long ago can't find the thread, but Is there a way to edit pushpool json to check hashed passwords? I tried doing password(`password) but that actually just checks a hashed-hashed password. Any suggestions?

[Inaba]

There's plenty of ways to do it, it depends on how the passwords are hashed in your database.  Pushpool does not use JSON to retrieve the passwords, it uses API calls to the database of choice.

But... that begs the question of why bother to hash worker passwords, since the worst someone could do with it is submit shares in your name (oh the horror!).

[Xenland]

LOL I thought the same thing but It seems that unknowledgable users think different and this is affecting how my software looks towards the general public.
Also another note that was mentioned to me was that often users will use their same password as their worker for their login password which is kind of an inconvience to the those who manage the miners. I guess I could force them to not have a password, but again unknowledgable users will be all over that idea aswell.

[TeraPool]

I believe I just sall a pull request for this on jgarzik's github account.

I have a question... why require passwords at all?

If you are worried about somebody stealing them.. why not simply do away with passwords in general and tell people to keep their miner usernames secret like a password?

As you said, what's the big deal with somebody submitting shares in your name?

[Xenland]

I believe I just sall a pull request for this on jgarzik's github account.

I have a question... why require passwords at all?

If you are worried about somebody stealing them.. why not simply do away with passwords in general and tell people to keep their miner usernames secret like a password?

As you said, what's the big deal with somebody submitting shares in your name?

Ultimately its psychological it seems a lot of n00bs tend to think that their miners can get over ran with out a passwords. I get funny questions like that all day. but can't blame them we were all n00bs once

[Inaba]

Well, to answer your question, you will need to change db-mysql.c and in the my_pwdb_lookup function, change "return pass_ret;" to "return <hashfunction>(pass_ret);"

Incidentally, no one has ever mentioned to me anything about hashing the worker passwords on my pool.

[bcforum]

I like the Eligius solution best. My username is the address I want payments sent to. There isn't any way someone can steal my work*, and I don't have to manage a bunch of different usernames, passwords, or verify the target address has been changed.

I've pondered for a while about how hard it would be to create a receiving address that matched the first 5-8 characters of someone else's address. How many people actually check the ENTIRE address when verifying their mining payments are going to the correct place?

* They could steal my wallet, but at that point my mining password is the least of my problems.

[Xenland]

hmm intresting idea bcfourm.
and to inaba, its mostly those who download my software then those who join my pool