Hashed Passwords
From EduVNC
The hashed password feature stores and sends passwords as a message digest (scrambled text) instead of plain text. When storing passwords in the registry or sending them to the desktop to perform a login EduVNC uses a hashing function to scramble the password. A hashing function is a sort of one way encryption. Given the same password it always generates the same number which EduVNC uses to represent the password. But even knowing the hashing function and having the transmitted or stored number it is not possible calculate what the password was. This number is what EduVNC stores and sends to the server to authenticate. If the hashed value from the client and server match then the user is authenticated. This protects from password sniffing / recovery during login or from the registry.
Contents |
Using
Password hashing is automatically enabled on all services which are edited, saved, or created using EduVNC. Also if the user can write to the registry the plain text passwords will be upgraded to hashed when the service settings are loaded. It is not possible to create or alter a service in the EduVNC interface that doesn't use hashed passwords. EduVNC knows the password is stored hased when the ServiceName\PasswordHashed is set to True.
Bypassing
It is possible to create a plain text password by editing the registry entries for a service. The ServiceName\Password should be the plain text password with no additional spaces and ServiceName\PasswordHashed must be false. If the service is later edited using the EduVNC it will converted and stored hashed. If the service is started by a user with permission to edit the registry keys it will be converted and stored hashed.
Registry Information
HKLM\Software\EduVNC contains ServiceName\PasswordHashed which is the check box state. Valid values are:
- True: The box is checked. Password is treated like a hash
- False: The box is unchecked. Password is imported as plain text
- If value is undefined or other: The box defaults to False.
Additional Notes
For compatibility with early beta versions if the ServiceName\PasswordHashed is missing or invalid the password is assumed to be plain text and imported as such, but upon saving is it converted to a hashed value and ServiceName\PasswordHashed is set to true. So while the default is false, in practice the value will trend towards true.
Security Risks
It is important to realize that the hashed passwords are not a perfect. Hashed passwords have known weaknesses. Below are the known security risks that hashed passwords do not prevent.
- Hashed passwords do not prevent guessing of obvious or weak passwords. Hashing prevents recovery of the password from EduVNC, but not from other sources. If you password is guessed, hashing will not provide any protection.
- Password hashing on the clients browser is performed by the using JavaScript. The browser and any code (such as spyware) running on the client computer may intercept the password before it is sent to the browser and hashed. Hashing can only protect transmission and storage of the password, but it will not prevent snooping by the browser or client itself.
- It is possible to brute force the password by trying all possible passwords until you see which one produces the same message digest. EduVNC implements a salting technique which slows and complicates this process, but does not prevent it entirely. While this is a theoretical weakness, its not practicably exploitable.
- Hashing functions produces a fixed length number (the digest) from every possible password. Because the number possible passwords are larger than the number of digests more than one password produces the same password. An overly simplified example of this is converting names into initials. People who share the same initials don't have different name. The number of digest available and the hashing algorithm makes any such collision both very unlikely to occur and very difficult to find. While this is a theoretical weakness, its not practicably exploitable.
