grctest
commented
7 years ago Tried to get IBM's cybersecurity division aware of this issue, no response yet.
Closed grctest closed 7 years ago
grctest
commented
7 years ago Tried to get IBM's cybersecurity division aware of this issue, no response yet.
grctest
commented
7 years ago In the mean time, a new project could completely block the use of username+password, in favour of using oAuth since it's somewhat supported by the BOINC web server & instruct users to add hosts to their account via their weak auth key.
Advantages:
Disadvantages:
tomasbrod
commented
7 years ago I suppor this! anything is better than MD5. Switching to BCrypt can even be done without a mandatory update. Tell mi if I should elaborate.
When BOINC account security changes in a way that requires mandatory upgrade then definitely Secure Remote Password or equivalent should be considered. It provides strong security even with weak and reused passwords. You could safely use the same password with multiple projects. http://srp.stanford.edu/ (the javascript demo is outdated, better impl exists)
grctest
commented
7 years ago Tell me if I should elaborate.
Please, go ahead. The migration involves ~4million accounts, it's a pretty daunting task.
tomasbrod
commented
7 years ago Well you let the users login using the old method but continuously nag them to change their password. Once they do, the new password is encrypted in the new format and no logins from old clients is allowed. Maybe add a checkbox that says "do you agree... update boinc required..." to be nice. The database just needs extra column to accomodate new password format. Even SRP could be implemented this way. SRP in boinc client requires OpenSSL. SPR for web login requires javascript library OR boinc manager to provide authentication token.
Edit: https://github.com/RuslanZavacky/srp-6a-demo Also: http://dev.minetest.net/Network_Protocol#Authentication
The current BOINC password hashing mechanism is quite insecure, migrating BOINC to a far more secure password hashing mechanism (such as Bcrypt/Argon2i/Other) is a good idea in the (hopefully near) future.
The change may require a mandatory upgrade of BOINC clients (which may be a nightmare for the BOINC community, as many do not upgrade their BOINC clients).
Perhaps a foundation-funded bounty would help get this improvement implemented sooner?
https://github.com/BOINC/boinc/issues/1644#issuecomment-272883362
https://github.com/grctest/project-rain-site/issues/9
Argon2i would require an upgrade of PHP from 5.x to 7.x https://github.com/grctest/project-rain-site/issues/10