Jump to content


Photo

How does emby store passwords?

security hashing

  • Please log in to reply
7 replies to this topic

#1 abeybaby OFFLINE  

abeybaby

    Newbie

  • Members
  • 2 posts
  • Local time: 06:29 PM

Posted 28 July 2015 - 04:40 PM

When I reset my emby password, I get my new password emailed to me in plaintext. This isn't even a temporary password either, you are encouraged to change it but it is not mandatory at login

 

This suggests emby is storing passwords in an unhashed form (otherwise they would not know the password itself and wouldn't be able to email it)

 

Given the recent hack at Plex, security should be top of our minds, that's the only reason I'm asking

 

Also, is the password for Emby forums and the emby web client the same?



#2 Koleckai Silvestri OFFLINE  

Koleckai Silvestri

    Advanced Member

  • Alpha Testers
  • 3735 posts
  • Local time: 09:29 AM

Posted 28 July 2015 - 04:50 PM

Emby uses the same forum software that Plex used to use. As such, they are most likely using the same hashing scheme. Latest published methodology for Invision Power Board is:
 

$hash = md5( md5( $salt ) . md5( $password ) );

However I don't think Plex was actually hacked via the forum software, that is just what they stole.

 

Someone else would have to answer the other questions. However the lack of security with MD5 hashes is one reason why I don't use Emby Connect. Hopefully they use Blowfish or some other system that is more secure.


  • denethor likes this

#3 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 152597 posts
  • Local time: 01:29 PM

Posted 28 July 2015 - 04:58 PM

We don't store in plain text. The behavior you're describing only applies to the password reset function, where IPB emails the random password before hashing and storing. However, your suggestion of a mandatory password change at login is a good idea and something we can look into.


  • abeybaby likes this

#4 abeybaby OFFLINE  

abeybaby

    Newbie

  • Members
  • 2 posts
  • Local time: 06:29 PM

Posted 28 July 2015 - 08:58 PM

However I don't think Plex was actually hacked via the forum software, that is just what they stole.

 
 
Actually Plex confirmed they were hacked via their forum software.

https://blog.plex.tv...assword-resets/
As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available.


What made the Plex hack so bad is that they had a ridiculous policiy whereby you could only log into their support forums using your Plex server/Plex Web username and password - you couldn't have a separate login just for the forums, Thus when the forum was hacked, all the Plex server users info was also taken.

Luke - thanks for the info 

#5 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50726 posts
  • Local time: 01:29 PM

Posted 29 July 2015 - 11:15 AM

They also don't have Abo keeping on top of every forum software patch :).


  • Abobader and FrostByte like this

#6 SonicYonex OFFLINE  

SonicYonex

    Newbie

  • Members
  • 2 posts
  • Local time: 12:29 PM

Posted 20 January 2017 - 04:52 PM

We don't store in plain text. The behavior you're describing only applies to the password reset function, where IPB emails the random password before hashing and storing. However, your suggestion of a mandatory password change at login is a good idea and something we can look into.

Are regular passwords stored salted and hashed then?  And are they in some form of database or flat file?



#7 SonicYonex OFFLINE  

SonicYonex

    Newbie

  • Members
  • 2 posts
  • Local time: 12:29 PM

Posted 23 January 2017 - 11:55 AM

Are regular passwords stored salted and hashed then?  And are they in some form of database or flat file?

I created a user with a password of "password", found "C:\Users\SonicYonex\AppData\Roaming\Emby-Server\data\users.db", opened with a sqlite editor, and the password listed for the user is "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" which matches a SHA1 hash result when fed "password."  So no salt, it's just a straight SHA1 saved in a regular column.



#8 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50726 posts
  • Local time: 01:29 PM

Posted 23 January 2017 - 12:47 PM

Emby Server does not salt passwords but this forum software does.







Also tagged with one or more of these keywords: security, hashing

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users