Bitcoin Forum
December 04, 2016, 10:30:49 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Pushpool can checked Hashpasswords?  (Read 943 times)
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
July 03, 2011, 07:53:51 PM
 #1

I think I saw somebody propose this not too long ago can't find the thread, but Is there a way to edit pushpool json to check hashed passwords? I tried doing password(`password) but that actually just checks a hashed-hashed password. Any suggestions?
1480847449
Hero Member
*
Offline Offline

Posts: 1480847449

View Profile Personal Message (Offline)

Ignore
1480847449
Reply with quote  #2

1480847449
Report to moderator
Some PGP public keys you should import: theymos, BadBear, Sirius, Stefan, Wladimir, Gavin, Gregory, Jeff, Pieter
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Inaba
Legendary
*
Offline Offline

Activity: 1260



View Profile WWW
July 06, 2011, 01:39:59 AM
 #2

There's plenty of ways to do it, it depends on how the passwords are hashed in your database.  Pushpool does not use JSON to retrieve the passwords, it uses API calls to the database of choice.

But... that begs the question of why bother to hash worker passwords, since the worst someone could do with it is submit shares in your name (oh the horror!).


If you're searching these lines for a point, you've probably missed it.  There was never anything there in the first place.
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
July 06, 2011, 09:57:09 AM
 #3

LOL I thought the same thing but It seems that unknowledgable users think different and this is affecting how my software looks towards the general public.
Also another note that was mentioned to me was that often users will use their same password as their worker for their login password which is kind of an inconvience to the those who manage the miners. I guess I could force them to not have a password, but again unknowledgable users will be all over that idea aswell.
TeraPool
Jr. Member
*
Offline Offline

Activity: 42


View Profile
July 12, 2011, 11:30:47 PM
 #4

I believe I just sall a pull request for this on jgarzik's github account.

I have a question... why require passwords at all?

If you are worried about somebody stealing them.. why not simply do away with passwords in general and tell people to keep their miner usernames secret like a password?

As you said, what's the big deal with somebody submitting shares in your name?

Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
July 13, 2011, 12:25:20 AM
 #5

I believe I just sall a pull request for this on jgarzik's github account.

I have a question... why require passwords at all?

If you are worried about somebody stealing them.. why not simply do away with passwords in general and tell people to keep their miner usernames secret like a password?

As you said, what's the big deal with somebody submitting shares in your name?

Ultimately its psychological it seems a lot of n00bs tend to think that their miners can get over ran with out a passwords. I get funny questions like that all day. but can't blame them we were all n00bs once Tongue
Inaba
Legendary
*
Offline Offline

Activity: 1260



View Profile WWW
July 13, 2011, 03:27:42 AM
 #6

Well, to answer your question, you will need to change db-mysql.c and in the my_pwdb_lookup function, change "return pass_ret;" to "return <hashfunction>(pass_ret);"

Incidentally, no one has ever mentioned to me anything about hashing the worker passwords on my pool.

If you're searching these lines for a point, you've probably missed it.  There was never anything there in the first place.
bcforum
Full Member
***
Offline Offline

Activity: 140


View Profile
July 13, 2011, 01:31:49 PM
 #7


I like the Eligius solution best. My username is the address I want payments sent to. There isn't any way someone can steal my work*, and I don't have to manage a bunch of different usernames, passwords, or verify the target address has been changed.

I've pondered for a while about how hard it would be to create a receiving address that matched the first 5-8 characters of someone else's address. How many people actually check the ENTIRE address when verifying their mining payments are going to the correct place?

* They could steal my wallet, but at that point my mining password is the least of my problems.

If you found this post useful, feel free to share the wealth: 1E35gTBmJzPNJ3v72DX4wu4YtvHTWqNRbM
Xenland
Legendary
*
Offline Offline

Activity: 980


I'm not just any shaman, I'm a Sha256man


View Profile
July 13, 2011, 02:59:18 PM
 #8

hmm intresting idea bcfourm.
and to inaba, its mostly those who download my software then those who join my pool
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!