1. Forum
  2. DOVE-Net
  3. Synchronet Discussion

  • Question on User Data

    From Feserenity@VERT to All on Tue Feb 17 19:28:30 2026
    Hello! I'm just setting up a Snychronet instance and reading through the configuration docs in my spare time. I noticed that user information is stored in plaintext flatfiles (which is in line with ye olde days.) Are there any existing password hash modules for handling login so that passwords are obfuscated for new users? If not, would it be possible to add into the login process? I haven't coded in C for a number of years now but would be willing to go poke at it.

    Thanks in advance!

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Digital Man@VERT to Feserenity on Tue Feb 17 19:45:25 2026
    Re: Question on User Data
    By: Feserenity to All on Tue Feb 17 2026 07:28 pm

    Hello! I'm just setting up a Snychronet instance and reading through the configuration docs in my spare time. I noticed that user information is stored in plaintext flatfiles (which is in line with ye olde days.) Are there any existing password hash modules for handling login so that passwords are obfuscated for new users? If not, would it be possible to add into the login process? I haven't coded in C for a number of years now but would be willing to go poke at it.

    No, there's no mechanism for hashing or encrypting the passwords in the Synchronet userbase (today, that's data/user/user.tab). A one-way hash would be particularly tricky because Synchronet supports a bunch of digest-based authentication methods that all require different hashes of the password along with challenge/nonce/sale (so you need the original password to compute those).

    We could encrypt the passwords on disk (reversable to plaintext again, for the above stated reasons), but then you need to have/store a key to decrypt them somewhere and how is that any more secure than the user.tab file? It's a can of worms that hasn't be worth dumping out and sorting through.
    --
    digital man (rob)

    Synchronet/BBS Terminology Definition #74:
    SMB = Synchronet Message Base (e.g. smblib)
    Norco, CA WX: 51.6øF, 69.0% humidity, 10 mph SSE wind, 0.30 inches rain/24hrs ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Feserenity@VERT to Digital Man on Wed Feb 18 00:12:55 2026
    Re: Question on User Data
    By: Digital Man to Feserenity on Tue Feb 17 2026 07:45 pm

    No, there's no mechanism for hashing or encrypting the passwords in the Synchronet userbase (today, that's data/user/user.tab). A one-way hash would be particularly tricky because Synchronet supports a bunch
    of
    digest-based authentication methods that all require different hashes of the password along with challenge/nonce/sale (so you need the original password to compute those).

    We could encrypt the passwords on disk (reversable to plaintext again, for the above stated reasons), but then you need to have/store a key to decrypt them somewhere and how is that any more secure than the
    user.tab file? It's a can of worms that hasn't be worth dumping out and sorting through.

    Thanks! Yeah that would make it tricky if supporting other Auth mechanisms that need to have their client-given hash + salt match the server-side password post hashing + salting. Hmmmm.... Yeah in that case is definitely a can of worms. And for sure encrypting them at rest is a nice idea but then if you have to decrypt them per login operation then the information is floating around on the server anyways to revert them back to plaintext.

    Will go with the human-side solution for now and encourage folks to not use a password they don't want me to potentially see.

    Thanks again!

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From MRO@VERT/BBSESINF to Digital Man on Wed Feb 18 02:37:22 2026
    Re: Question on User Data
    By: Digital Man to Feserenity on Tue Feb 17 2026 07:45 pm

    have/store a key to decrypt them somewhere and how is that any more
    secure than the user.tab file? It's a can of worms that hasn't
    be worth dumping out and sorting through.



    it was fun when i could go on anybody's bbs and print their password and system password if they were using a baja module that allowed text input.

    pistolgrip pretty much shit his pants and reversed his stance on not doing anything until you made an update.


    --
    "Before using Wildcat....This Company did not have a convenient way of
    looking after some of the richest clients in the world...Now we do!"
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::