Web Server Password Encryption

Vicendithas · 04-26-2018, 03:06 PM

I recently set up my Calibre library to use the web server feature so that I could access my library from anywhere, as well as give friends and family access to my books. I set it up such that it requires a username and password, mostly because I don't want someone random stumbling upon it and deleting all my books. Out of curiosity, I downloaded a database reader to open the server-users.sqlite file that is stored in %APPDATA%/calibre. I found that the passwords are stored in plaintext. It's not a huge deal because someone would have to get access to my computer to get those passwords, but it's probably something that should be addressed eventually.

Regards,

Vicendithas

kovidgoyal · 04-26-2018, 10:01 PM

The passwords have to be stored in plaintext, because otherwise you lock-in a single auth method (you would have to store the MD5 hash of the password for digest auth). This has various problems:

1) The stored password can only be used for digest auth or plaintext auth. No other auth schemes that might be developed in the future can be used.
2) MD5 is broken and so storing using an MD5 hash is only a marginal improvement over storing in plaintext.

04-26-2018, 03:06 PM	#1
Vicendithas Junior Member Posts: 1 Karma: 10 Join Date: Feb 2017 Device: Kindle Paperwhite 3	Web Server Password Encryption I recently set up my Calibre library to use the web server feature so that I could access my library from anywhere, as well as give friends and family access to my books. I set it up such that it requires a username and password, mostly because I don't want someone random stumbling upon it and deleting all my books. Out of curiosity, I downloaded a database reader to open the server-users.sqlite file that is stored in %APPDATA%/calibre. I found that the passwords are stored in plaintext. It's not a huge deal because someone would have to get access to my computer to get those passwords, but it's probably something that should be addressed eventually. Regards, Vicendithas

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Server password change	Gazerwolf	Calibre	2	06-30-2017 07:26 AM
The state of access protection (password/encryption) on e-reader devices	fx32	Which one should I buy?	11	12-13-2016 10:43 PM
Porting Calibre's built-in web server to a remote server?	perryja	Related Tools	6	05-02-2013 09:05 AM
Password in content server	Siemon@stegmeije	Library Management	2	12-10-2012 03:10 PM
calibre-server OPDS catalog - manual move to web server	HaakonME	Related Tools	5	09-21-2012 03:11 AM

04-26-2018, 10:01 PM	#2
kovidgoyal creator of calibre Posts: 43,839 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	The passwords have to be stored in plaintext, because otherwise you lock-in a single auth method (you would have to store the MD5 hash of the password for digest auth). This has various problems: 1) The stored password can only be used for digest auth or plaintext auth. No other auth schemes that might be developed in the future can be used. 2) MD5 is broken and so storing using an MD5 hash is only a marginal improvement over storing in plaintext.

Advert