Cookies not sticking and username change?
Thread Starter
Registered User
Joined: Feb 2001
Posts: 674
Likes: 0
From: Ft. Campbell
Cookies not sticking and username change?
https://www.s2ki.com/forums/showthread.php?...?threadid=20188
From the Car Talk forum. Thanks for any help.
From the Car Talk forum. Thanks for any help.
Joined: Dec 2000
Posts: 4,307
Likes: 13
From: Ogden
Me too Shell, me too.........
I deleted all my "cookies" yesterday. When I logged on I couldn't post and the system wouldn't take my password. I had the system send me my ID and password and got in last night using what was sent. . Today same problem.....so I went to the email from yesterday and cut and pasted my password......no luck. So I asked the system to once again send me my ID and password. Today I get another new password?????
Any thoughts???
I deleted all my "cookies" yesterday. When I logged on I couldn't post and the system wouldn't take my password. I had the system send me my ID and password and got in last night using what was sent. . Today same problem.....so I went to the email from yesterday and cut and pasted my password......no luck. So I asked the system to once again send me my ID and password. Today I get another new password?????
Any thoughts???
Administrator
Joined: Oct 2000
Posts: 20,274
Likes: 4
From: Toronto, Canada
This really should be in the FAQ, oh well. We don't know your password. When you ask for it you are given a new one. Everytime you click that link you will get a new randomly generated 6 character password which replaces your old one.
Here is how it works for the curious. The take a string of characters or bytes of data and you run it through an algorithm called MD5 or a message digest algorithm. It spits out a 32 character message digest of that string (a fingerprint if you will). We store that in the database, not the password. MD5 is a one-way algorithm. That is that the same message always creates the same digest but you cannot recover the original message from the digest. The message in this case is your plain text password.
So if your password is bubbalubbalo the digest is 908d962e039f947d64404f07fafbd078 but there is no way to get bubbalubbalo from 908d962e039f947d64404f07fafbd078 except brute force guessing. That's how MD5 works and it's the basis for many if not most cryptographic and digital signature systems used today.
So if we don't know your password, how can you login? Simple, we compare the digest on file with the digest of what you enter as your password. That's why we can't send you your password. We make a new one randomly and then send it, storing the digest of that new password in the database.
So you say, didn't I just blow the whole thing by telling you how we do it? No. It's how almost everyone does it. It's secure not by secret but by science. To demonstrate, let me show you what the digests are for various forms of bubbalubbalo:
bubbalubbalo -> 908d962e039f947d64404f07fafbd078
Bubbalubbalo -> cf2bfceb67029a060663d5abd47a4569
BUBBALUBBALO -> e262f6804ba2609b4825b29cbe164883
You do the math. That's a number bigger than the number of atoms in the universe and then some. Suffice to say only God knows the answer and even that's suspect.
The only weak link in the system, as always, is the operator. If you tell someone your password on S2000 International and you use the same password on another site/system that uses the same method, that someone would know that you use the same password in both places (same digests) and thus your S2KI password will work there too. Of course they could just try logging in with the password you gave them and simplify things
So: Don't reuse passwords. Don't share passwords. Don't make them easy to guess. Your S2KI account is worthless, your bank account maybe not so.
For S2KI, you shouldn't really need to remember it, just let the cookie do it and request a new password if you forget and need it. Also, the password we send you is random so it not going to be the same as any other you use and impossible to guess even by someone that knows you very well.
Just a security 101 lesson that I hope helps some.
Here is how it works for the curious. The take a string of characters or bytes of data and you run it through an algorithm called MD5 or a message digest algorithm. It spits out a 32 character message digest of that string (a fingerprint if you will). We store that in the database, not the password. MD5 is a one-way algorithm. That is that the same message always creates the same digest but you cannot recover the original message from the digest. The message in this case is your plain text password.
So if your password is bubbalubbalo the digest is 908d962e039f947d64404f07fafbd078 but there is no way to get bubbalubbalo from 908d962e039f947d64404f07fafbd078 except brute force guessing. That's how MD5 works and it's the basis for many if not most cryptographic and digital signature systems used today.
So if we don't know your password, how can you login? Simple, we compare the digest on file with the digest of what you enter as your password. That's why we can't send you your password. We make a new one randomly and then send it, storing the digest of that new password in the database.
So you say, didn't I just blow the whole thing by telling you how we do it? No. It's how almost everyone does it. It's secure not by secret but by science. To demonstrate, let me show you what the digests are for various forms of bubbalubbalo:
bubbalubbalo -> 908d962e039f947d64404f07fafbd078
Bubbalubbalo -> cf2bfceb67029a060663d5abd47a4569
BUBBALUBBALO -> e262f6804ba2609b4825b29cbe164883
You do the math. That's a number bigger than the number of atoms in the universe and then some. Suffice to say only God knows the answer and even that's suspect.
The only weak link in the system, as always, is the operator. If you tell someone your password on S2000 International and you use the same password on another site/system that uses the same method, that someone would know that you use the same password in both places (same digests) and thus your S2KI password will work there too. Of course they could just try logging in with the password you gave them and simplify things
So: Don't reuse passwords. Don't share passwords. Don't make them easy to guess. Your S2KI account is worthless, your bank account maybe not so.
For S2KI, you shouldn't really need to remember it, just let the cookie do it and request a new password if you forget and need it. Also, the password we send you is random so it not going to be the same as any other you use and impossible to guess even by someone that knows you very well.
Just a security 101 lesson that I hope helps some.
, but thanks for that more then adequate explanation
.
Thread
Thread Starter
Forum
Replies
Last Post