• Welcome to the edge of the civilized internet! We are a site and community dedicated to freedom of speech. All our official content can be found here. If you have any questions, try our FAQ here or see our video on why this site exists at all!

Sanctuary Digital User Signatures Now Supported

Arnox

Veteran
Staff member
Founder
Messages
4,537
What is this?
Digital user signatures are just a fancy name that disguises a method that has been used for years and years to secure passwords and also to 100% accurately verify the contents of a file. Basically though, digital user signatures are pretty much what you'd guess they'd be. They ensure that as long as one party has the verification code, that party can fully verify a person's identity very easily, quickly, and securely.

Why is this needed?
I'll admit, this has much more importance for me personally since, of course, I am the owner of Sanctuary, and if the site gets shut down or compromised, I can communicate or bring Sanctuary back up at any time at any place with any host and still fully verify without a doubt that it is indeed Arnox speaking or bringing Sanctuary back up. Regardless though, there's absolutely no reason why people can't take advantage of this system as well to do with however they like. Right off the top of my head, with this system, no matter what account you have on what site or what account you start or lose access to, or even if you're merely guest posting, you can still verify that it is indeed you 100% and nobody else without giving even a single bit of personal information away.

How does it work?
The process is very simple. You make a new text file or word document and type into that document your chosen password, then save it. Now this is where the real magic behind this entire process happens. You run a SHA256 hash check on that document. The resultant large string of letters and numbers you get is the hash, or your verification code. The verification code is not reversible. You either know exactly how to create the document that generated that code or you don't and that's the end of it. A couple things to keep in mind though. If you're using a text file to do this, know that the way the text file is encoded (UTF-8, ANSI, etc.) will change the resultant hash even if the actual contents you typed into the document are the exact same. Also, the way Windows handles text file encoding is different from the way Linux handles it, so that will also affect the resultant hash. So, once you have the verification code, you post the verification code publicly here on Sanctuary so people can, of course, know what it is and save it. And when you need to verify your identity, there's two ways you can do this. The highly recommended way is to use VirusTotal. Make the password file, upload it to VirusTotal, and then give the link to whoever you need to verify your identity. If you are verifying someone's identity, ALSO PAY ATTENTION TO THE TIMESTAMP OF THE FILE SUBMITTED. Make sure that it is recent and not an old link. The other much more insecure way is to give the password file directly. IF YOU DO GIVE THE PASSWORD FILE TO SOMEONE, MAKE SURE YOU GIVE IT TO THEM IN PUBLIC ON SANCTUARY AND ALSO INCLUDE RIGHT IN THE SAME POST A NEW VERIFICATION CODE FOR THE NEW PASSWORD FILE YOU'VE MADE. DO NOT GIVE THE PASSWORD FILE TO ANYONE UNDER ANY OTHER CONDITIONS.

How would I generate a SHA256 hash from my password file?
Windows: Use 7-Zip. You can right click the file and select CRC > SHA256. Alternatively, you can do it right in the program by selecting a file in the 7-Zip file browser and then going to File > CRC > SHA256.

Linux: You can do it with the terminal using the sha256sum command, but most all distros will have a quick way to see a file's hash either by right-clicking it or by looking at the file's properties.

Are there any dangers I should keep in mind?
Yes. YOUR PASSWORD CAN STILL BE BRUTE-FORCED. Because of this, DO NOT use a simple password like 1234. Your digital user signature will not be secure if you do so! Another thing to keep in mind is where you're creating the file. Is the PC you're using to create the password file secure? If you're doubtful about that, you can use a LiveUSB Linux distro called Tails to boot yourself securely into any computer so you can recreate the password file for verification. Any file you create on Tails will be kept in RAM and will be hard deleted as soon as the PC is shut off. Yet another thing is, if you wish, you can indeed create a very very long password and just save the file to a drive for later instead of memorizing a password and deleting the file. This ensures that brute-forcing your password will be nigh impossible, but it does leave you open to a different and much more simple attack, and that is someone somehow getting a hold of your password file. You'll, of course, also have to make backups of the file to ensure it doesn't get lost.

Will this ever be made mandatory?
No. This is entirely opt-in and will always be. Just keep in mind though, if you lose your account and you never made a verification code, and you don't have any way to contact an admin to verify it really is you to get the account back, then you can kiss that account and identity goodbye.

Do I really have to save all the verification codes?
Don't worry. I'll do the hard work and gather the codes into one handy file so anyone can just quickly download it and keep it somewhere. But that said, I'm not your momma. If you don't have the verification codes then someone could easily lie to you and say that, oh, that's not really someone because MY verification codes say the VirusTotal link is not valid. If you have the true verification codes, you don't have to guess and find out for yourself immediately and without a doubt.

Where are all the verification codes for all users stored?
https://intosanctuary.com/index.php?threads/official-user-verification-code-list.1267/ There is also a link in the Members tab to the same thread.
 
Last edited:

Drathnoxis

Devotee
Messages
125
Ok, I've set my digital user signature. Now you'll always know whether it's me or an imposter.
 
Top