search

aforward / safetybox

Security oriented helper functions for Elixir
21 stars 2 forks source link

Bad Cryptography #1

Open azet opened 9 years ago

azet commented 9 years ago

Hi,

You're using bad crypto throughout. For example hashing with MD5 is not encrypting data. I'd suggest adding a big warning in the README file and taking a look into http://cacr.uwaterloo.ca/hac/ :)

No offense but people that might not look at the code will get very bad security out of this module.

aforward commented 9 years ago

No offence. I clearly document that this library focuses on simplicity and not security. From the docs.

Safetybox a collection of security oriented functions

This is oriented towards individuals that store passwords directly in their code, or some other not-so-hard-to-find location

Please submit a PR with enhancements, it will be much appreciated.

azet commented 9 years ago

Neither in the documentation nor in the README I can find any mention that the security of this project is lacking? :)

The problem is that even for storing passwords salted MD5 is a very bad choice. These days most people use bcrypt or scrypt for password hashing.

aforward commented 9 years ago
screen shot 2015-07-17 at 7 11 21 am screen shot 2015-07-17 at 7 11 28 am
aforward commented 9 years ago

http://hexdocs.pm/safetybox/

azet commented 9 years ago

@aforward yes. I was directly referring to this paragraph in my last comment.

aforward commented 9 years ago

Sorry, it is implied as this is geared towards individuals that are doing really insecure things (i.e. plain text passwords directly in the core code base), so it's a step above.

Note that they give security "oriented" functions, and the implicitness of the target audience implies the degree to which it is secure. I don't mention how secure, but as you pointed out, it's not (but it is better than the approach being taken by the target audience).

I hope to see a PR from you soon, so that we can update the docs to show how secure the functions now are.

azet commented 9 years ago

I'm not really an Erlang expert - thanks for your explanation.

As I see it there is a library that currently supports strong crypto for elixir: https://github.com/electricFeel/savoyr as well as Erlang built-in crypto routines which look promising http://www.erlang.org/doc/man/crypto.html

aforward commented 9 years ago

I dabble in elixir without knowing much of anything about erlang (which is unforunate), and at the time the defacto the phoenix web framework process was to store the plain text text password in the configs -- hence this small project was born. Phoenix has since improved their out-of-the-box configurations and I haven't maintained this.

Here's an article I wrote about the possible use of the project as a step-up from plain text passwords http://a4word.com/articles/safetybox.php

The strong crypto link didn't work, can you repost.

azet commented 9 years ago

Does this work? https://github.com/electricFeel/savory

aforward commented 9 years ago

Yes.