store hashed passwords - Githubissues

andrewrk / groovebasin

Music player server with a web-based user interface.

MIT License

1.9k stars 119 forks source link

store hashed passwords #434

Open andrewrk opened 9 years ago

andrewrk commented 9 years ago

Here are two attack vectors:

Attacker manages to read the database on the server. They now have admin password and can delete music on the server.
A groove basin bug is exploited and admin password is accidentally revealed. They now have admin password and can delete music on the server.

Solution: store hashed passwords in the database.

fsateler commented 9 years ago

Currently GB creates the dbs world-readable. As a first pass at this issue it should probably create them with mode 600.

andrewrk commented 9 years ago

https://github.com/Level/leveldown/issues/177

andrewrk commented 9 years ago

mode 600 isn't going to happen on those db files (see the issue linked above). so the official recommendation is going to be: put groovebasin db/config in a directory with appropriate permissions.

sbuller commented 9 years ago

Since this is so frequently done incorrectly, I hope you won't be offended if this post is just noise.

A simple hash is not sufficient - salt is necessary. Use of a Key Derivation Function like http://en.wikipedia.org/wiki/Scrypt is recommended. A quick googling turns up http://www.sitepoint.com/risks-challenges-password-hashing/ with a good explanation.

diogocp commented 9 years ago

bcryptjs has no dependencies, seems well-maintained, and is dead simple to use.