hunchentoot-auth is insecure, and should be removed

CodyReichert / awesome-cl

A curated list of awesome Common Lisp frameworks, libraries and other shiny stuff.

https://awesome-cl.com

Other

2.47k stars 183 forks source link

hunchentoot-auth is insecure, and should be removed #463

Closed duncan-bayne closed 1 year ago

duncan-bayne commented 1 year ago

The library hunchentoot-auth is insecure. Per its documentation:

Note that the password is not directly stored in the persistent storage, but rather the password is appended to a random (per-user) salt (which is stored in the persistent database) and this salted uesr name is then hashed using the MD5 hashing algorithm.

I've raised an issue on hunchentoot-auth, but in the meantime it should be removed from this collection.

vindarel commented 1 year ago

from the twit linked on the issue:

This is what MD5 hashes look like in hashcat calculating billions of possibilities per second: […]

and confirmation on "billions per second".

Thanks.