Closed ericelliott closed 9 years ago
I see you're the author of credential. Thanks for the pointer, it was on my to-do list to migrate to bcrypt but credential seems to be impeccably researched. I'm going to talk this over with the Apostrophe team and make sure it's done in the unstable branch and backported to the 0.5.x series.
As a transitional strategy I'd envision upgrading the sha1 passwords upon login. A tool to notify users who still need to do that is then very easy to write.
On Sat, Feb 7, 2015 at 2:58 AM, Eric Elliott notifications@github.com wrote:
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential https://github.com/ericelliott/credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1
— Reply to this email directly or view it on GitHub https://github.com/punkave/apostrophe/issues/191.
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
The bcrypt module does seem more widely used. Are you aware of any weaknesses?
On Sat, Feb 7, 2015 at 9:56 AM, Tom Boutell tom@punkave.com wrote:
I see you're the author of credential. Thanks for the pointer, it was on my to-do list to migrate to bcrypt but credential seems to be impeccably researched. I'm going to talk this over with the Apostrophe team and make sure it's done in the unstable branch and backported to the 0.5.x series.
As a transitional strategy I'd envision upgrading the sha1 passwords upon login. A tool to notify users who still need to do that is then very easy to write.
On Sat, Feb 7, 2015 at 2:58 AM, Eric Elliott notifications@github.com wrote:
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential https://github.com/ericelliott/credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1
— Reply to this email directly or view it on GitHub https://github.com/punkave/apostrophe/issues/191.
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
I take your point about OWASP recommending pbkdf2 where available. It's also built into node, avoiding the hassle of installation with clients who prefer not to provide us with compiler access, which makes the case for using credential stronger.
On Sat, Feb 7, 2015 at 10:16 AM, Tom Boutell tom@punkave.com wrote:
The bcrypt module does seem more widely used. Are you aware of any weaknesses?
On Sat, Feb 7, 2015 at 9:56 AM, Tom Boutell tom@punkave.com wrote:
I see you're the author of credential. Thanks for the pointer, it was on my to-do list to migrate to bcrypt but credential seems to be impeccably researched. I'm going to talk this over with the Apostrophe team and make sure it's done in the unstable branch and backported to the 0.5.x series.
As a transitional strategy I'd envision upgrading the sha1 passwords upon login. A tool to notify users who still need to do that is then very easy to write.
On Sat, Feb 7, 2015 at 2:58 AM, Eric Elliott notifications@github.com wrote:
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential https://github.com/ericelliott/credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1
— Reply to this email directly or view it on GitHub https://github.com/punkave/apostrophe/issues/191.
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
THOMAS BOUTELL, DEV & OPS P'UNK AVENUE | (215) 755-1330 | punkave.com
0.6 (unstable branch) is using credential.
:+1:
The password hashing library used here is very insecure, and would likely fall very quickly to brute force attacks. It defaults to a single iteration, and uses and outdated sha1-hmac hashing algorithm. It should be using one of PBKDF2, scrypt, or bcrypt, instead. See Credential, for example.
https://github.com/punkave/apostrophe/blob/master/lib/password.js#L1