[nos-bbs] MD5 (was: etelnet)
Miroslav Skoric
skoric at uns.ac.rs
Sun Feb 25 06:47:36 EST 2018
On 02/25/2018 12:58 AM, Boudewijn (Bob) Tenty wrote:
>
> I used it for normal user access and not for forwarding and I even don't know
> or the forward.bbs script accepts the etelnet command.
> MD5 is not so secure and can be cracked by a brute-force attack and suffers from
> extensive vulnerabilities.
>
In general, and not only for using with *NOS systems (but also with FBB
or BCM), I wonder if MD5-based user access & forwarding were eventually
replaced by some more safer algorithms?
Or as an alternative, maybe just to partially update MD5 procedures, by
introducing a software mechanism (a script or whatever) that would
automatically change the content of the 'secret key' string at preset
time (negotiated separately in between any two bbs sysops and/or a sysop
and a particular end-user). For example, if I remember properly, the
MD5-based security in FBB related to a 80-character 'secret key' that
was located both at the user side and the server side. That key remained
permanent all the time which means unchanged, hence probably prone to
hacking attempts. But if there would be introduced some mechanism to
periodically change the content of that key (for example, just change
the order of the elements of the key, such as to move the character #1
to the last position in the row, i.e. to the position #80, and to move
remaining 79 characters one position to the left, i.e. #2 to #1, #3 to
#2, ...), I wonder whether that operation would increase MD5 usability?
Misko YT7MPB
More information about the nos-bbs
mailing list