abeybaby 0 Posted July 28, 2015 Share Posted July 28, 2015 When I reset my emby password, I get my new password emailed to me in plaintext. This isn't even a temporary password either, you are encouraged to change it but it is not mandatory at login This suggests emby is storing passwords in an unhashed form (otherwise they would not know the password itself and wouldn't be able to email it) Given the recent hack at Plex, security should be top of our minds, that's the only reason I'm asking Also, is the password for Emby forums and the emby web client the same? Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted July 28, 2015 Share Posted July 28, 2015 Emby uses the same forum software that Plex used to use. As such, they are most likely using the same hashing scheme. Latest published methodology for Invision Power Board is: $hash = md5( md5( $salt ) . md5( $password ) ); However I don't think Plex was actually hacked via the forum software, that is just what they stole. Someone else would have to answer the other questions. However the lack of security with MD5 hashes is one reason why I don't use Emby Connect. Hopefully they use Blowfish or some other system that is more secure. 1 Link to comment Share on other sites More sharing options...
Luke 37007 Posted July 28, 2015 Share Posted July 28, 2015 We don't store in plain text. The behavior you're describing only applies to the password reset function, where IPB emails the random password before hashing and storing. However, your suggestion of a mandatory password change at login is a good idea and something we can look into. 1 Link to comment Share on other sites More sharing options...
abeybaby 0 Posted July 29, 2015 Author Share Posted July 29, 2015 However I don't think Plex was actually hacked via the forum software, that is just what they stole. Actually Plex confirmed they were hacked via their forum software. https://blog.plex.tv/2015/07/02/security-notice-forum-user-password-resets/ As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available. What made the Plex hack so bad is that they had a ridiculous policiy whereby you could only log into their support forums using your Plex server/Plex Web username and password - you couldn't have a separate login just for the forums, Thus when the forum was hacked, all the Plex server users info was also taken. Luke - thanks for the info Link to comment Share on other sites More sharing options...
ebr 14903 Posted July 29, 2015 Share Posted July 29, 2015 They also don't have Abo keeping on top of every forum software patch . 2 Link to comment Share on other sites More sharing options...
SonicYonex 0 Posted January 20, 2017 Share Posted January 20, 2017 We don't store in plain text. The behavior you're describing only applies to the password reset function, where IPB emails the random password before hashing and storing. However, your suggestion of a mandatory password change at login is a good idea and something we can look into. Are regular passwords stored salted and hashed then? And are they in some form of database or flat file? Link to comment Share on other sites More sharing options...
SonicYonex 0 Posted January 23, 2017 Share Posted January 23, 2017 Are regular passwords stored salted and hashed then? And are they in some form of database or flat file? I created a user with a password of "password", found "C:\Users\SonicYonex\AppData\Roaming\Emby-Server\data\users.db", opened with a sqlite editor, and the password listed for the user is "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" which matches a SHA1 hash result when fed "password." So no salt, it's just a straight SHA1 saved in a regular column. Link to comment Share on other sites More sharing options...
ebr 14903 Posted January 23, 2017 Share Posted January 23, 2017 Emby Server does not salt passwords but this forum software does. Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted May 12, 2020 Share Posted May 12, 2020 I see it's still the case that SHA1 is used to hash passwords. Could Emby look in to migrating to a more secure hash format (bcrypt / Argon2 / PBKDF2) and implement salting? There are even .net libraries out there that could be used https://github.com/BcryptNet/bcrypt.net https://github.com/neoKushan/BCrypt.Net-Core 1 Link to comment Share on other sites More sharing options...
ebr 14903 Posted May 12, 2020 Share Posted May 12, 2020 I see it's still the case that SHA1 is used to hash passwords. Could Emby look in to migrating to a more secure hash format (bcrypt / Argon2 / PBKDF2) and implement salting? There are even .net libraries out there that could be used https://github.com/BcryptNet/bcrypt.net https://github.com/neoKushan/BCrypt.Net-Core Hi. What is it you are really trying to achieve? The only place passwords are stored like this is in the database on the local server machine. Someone would need access to the actual file system of the server machine to even start digging around. At that point, your Emby user passwords are kind of a moot point, no? Link to comment Share on other sites More sharing options...
runtimesandbox 152 Posted May 13, 2020 Share Posted May 13, 2020 Whilst I understand your point there, another angle to look at it would be for users that reuse passwords. If an emby server is compromised you can assume that the whole server is compromised, but if a user is then reusing that username / password combination elsewhere with either other self hosted services or online accounts (which IMO is very likely, credential stuffing attacks happen successfully all the time) then its trivial for an attacker to use these compromised details elsewhere. Having passwords stored using a modern hashing method makes decrypting a stolen user db non trivial and greatly increases the difficulty of cracking the hashes Link to comment Share on other sites More sharing options...
rbjtech 4222 Posted May 29, 2020 Share Posted May 29, 2020 (edited) Whilst I understand your point there, another angle to look at it would be for users that reuse passwords. If an emby server is compromised you can assume that the whole server is compromised, but if a user is then reusing that username / password combination elsewhere with either other self hosted services or online accounts (which IMO is very likely, credential stuffing attacks happen successfully all the time) then its trivial for an attacker to use these compromised details elsewhere. Having passwords stored using a modern hashing method makes decrypting a stolen user db non trivial and greatly increases the difficulty of cracking the hashes Whilst I don't disagree with anything you said - I think Emby have an adequate level of password security for the intended platform. a) it's local only b ) it's for local media sharing (yes some PPI may be available) In this day and age, if you really are naïve enough to use the same password for emby as you do for say your on-line banking - then it is my view that emby are not responsible nor accountable for that, the user needs to take some responsibility for their decisions. Edited May 29, 2020 by rbjtech 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now