Wikipedia Account Request System – Password Storage

The current ACC system has some really useless bits which are hard to change, such as the password storage system. At the moment, the database is filled with “securely” stored passwords, such as “5f4dcc3b5aa765d61d8327deb882cf99”. Any quick Google search will quickly tell you exactly how the passwords are currently stored, a simple MD5 hash. This is quite clearly inadequate, so as part of the rewrite I’ve been aiming to store the passwords much more securely.

In all the examples, I’m going to use the password “password”.

At the moment, it’s simple to set a password, just store

md5("password");

into the database. It’s also simple to check the password, just check

md5($suppliedpassword) === $storedpassword

However, I was wanting to store the passwords with a salt, a different salt for each user – hence making cracking the MD5 hash much less feasible.

The function I’m now using to encrypt a password is this:

The $2$ at the front indicates the version of the password hash for later use. For a password “password” and a username “username”, this gives the encrypted result $2$8c6e7b658b4be4bb325870a1764ca4fb

When a password is checked, the code looks at the first three chars of the stored password, and determines if it matches $2$ or not. If it does, the provided password is encrypted with the new hashing function, and compared to the stored password. If they match, it’s the right password.

If the first three chars are not $2$, then it hashes the password using the old method, compares it, and if it matches, takes the provided password, hashes it with the new function, saves it to the database, and returns that it’s the right password.

This has the effect of being transparent to the user, but increasing the security of their password the first time they log in to the new system.

Minecraft Pixel Art

Hey folks

Just thought you’d love to hear about a few things I’ve been doing in Minecraft recently!

PIXEL ART!

I decided to make the Google Chrome logo from coloured wool in Minecraft.

I took the Google Chrome Logo:

Reduced it to 32x32px (actually, I initially found a 32x32px image :P):

Applied this GIMP Colour Palette to it to adapt the colours to the wool colours in Minecraft (Image -> Mode -> Indexed, using custom palette – you’ll need to right click the palettes window and import it first):
(this is the one I’m actually using, if you use the one above, you’ll end up with this)

Build in Minecraft!

I’m considering building all the major browser’s logos, but I’m having a hard time finding the resources to do just Chrome’s. And Chrome has gone and got itself a new logo in the meantime…

Because I was finding it hard to know what I needed, I also built a spreadsheet. This spreadsheet knows all the requirements for the wool blocks, asks you what you need to complete the project, what you currently have, and goes away and calculates what else you need to gather.

Download spreadsheet

If you want to download it, feel free to. I’ve released it under CC-BY-SA, so do whatever you want with it under the terms of that licence (attribute me and share any changes you make under similar conditions, otherwise do what you want). Details are in the file.

Wikipedia Account Request System

I thought it was about time I did a bit of a technical post on the new Wikipedia Account Request System that’s been sat around slowly being worked on over what’s nearly a year(!) now.

It’s still a long way off, but I’ve not had time to actually buckle down and do work on it, so I’m hoping that I’ll be able to spend a bit more time with it in the near future.

Since the migration to GitHub, I’ve been doing quite a bit of development work on it, and have recently (semi) finalised the database, which will hopefully speed things up a bit, and stop me from saying “ooh, let’s do this with the database”, “nah, nevermind”, “ooh, let’s do this instead”, etc.

The database finalisation comes after writing the conversion script to convert the database from the current format into the new format – there’s roughly 35 operations to be done to make the database sort-of OK, 28 of which are done on one single database table.

I’m taking this opportunity to make these somewhat huge database changes to the core of the system as there’s not much that’s using the database at the moment in the new system, and a huge migration would have to happen in order to swap from one system to another anyway, so I’m not too fussed about making more changes like this.

As the developers of the current system will know, the code is quite frankly shocking. I’m pretty certain that SQL injection and XSS attacks are prevented, but only because we apply about 15000 sanitisation operations to the input data, mangling anything that’s remotely cool such as unicode chars – to cite a recent example: • – into a mess that MIGHT be displayed correctly on the tool, but any other areas just don’t work. In this case, MediaWiki rejected it as a bad title, because it was passed • instead of •.

The new system should hopefully solve some of these issues.

For starters, all the database quote escaping is going – I’m not even going to do database input sanitising – and I’m going to actively reject any change that adds it.

There’s a reason for this, and that is because of the database abstraction layer I’m using for this new system – PDO.

PDO handles all the database connection details for me automatically, and supports both raw SQL queries, and prepared statements. Where the former requires sanitisation to be secure, the latter doesn’t. You simply pass in place-holders (called parameters) to the query where your input goes. You can then bind values or variables to the parameters, and execute the query. Because the query and parameters are passed separately to the server, no sanitisation ever needs to happen because it’s just impossible to inject anything in the first place.

The really cool thing that I’m planning to (ab)use a lot is the ability to retrieve a database row from the database as an instance of a class you’ve previously defined.

The above is an actual excerpt from the User class of WARS at the moment, and the database structure of the acc_user table.

As you can see, the class has a set of fields which exactly match the names of the columns in the table. This is a key part of making the code work – all you need to do is create a query which pulls out all the columns for one row in the database, pass it the parameter which tells it which row to return, and then tell it to fetch an object, telling it which class to instantiate. A simple four-line function dealing with the searching and retrieval from the database, and instantiating a class with the relevant data – it’s actually beautiful! :D

My plan is to use this structure of data access objects for all the other database tables, and then I should be able to deal with the entire system on a purely object-based level, rather than constantly mashing in database queries here and there.

Git, GitHub, and some project ideas

Yeah, yeah, I’m an addict.

Already.

Monday was when I switched my first subversion repository over to Git, and over the course of the next few days, a couple more repositories had been switched. Thanks to this guy, I’m properly addicted to Git.

It’s been a bit of a learning curve, especially since I’ve quite literally grown up using subversion. The most worrying thing about moving from subversion to git is the message at the top of most guides: “forget everything you know about version control”.

I won’t go into describing the conversion from one to another, but I will say this: it’s tricky at first, but once you get the hang of it, it’s a much nicer and more natural workflow.

I’ve got a few repositories on github already, though some of them aren’t that great and don’t have that much in them.

I’ve got a few ideas for some projects I want to have a go at building too, quite a few of them are git oriented, such as a github android client (or more precisely, patching the existing one), and adding git support to mediawiki’s codereview extension. The list of stuff I want to do is here: http://helpmebot.org.uk/wiki/Idea_Lab

Skyla ft. Bashy – Lady Killer

Heard this song a few times now at Fresh, but it’s taken me quite a while to figure out what song it actually was – this video is also the only video of it I foundEdit: That video has gone offline unfortunately, you’ll have to believe my opinion!.

Awesome song :D