Closed wezell closed 1 year ago
Please have me review it before this code is merged. Must ensure the enumeration issue is also fixed, thanks.
Here are the steps to verify the code fix:
dotcms.log
file:
User (dotcms.org.1) password was re-hashed 600000 times
Fixed, tested on release-23.03 // Docker // FF
Problem Statement
Passwords stored in dotCMS are hashed multiple times using an industry recognized algo
PBKDF2-HMAC-SHA256
. When we implemented password hashing, 20,000 iterations were enough to slow down a brute force cracking attack. With todays modern processors and GPUs, OWasp recommends at least 600,000 iterations of hashing to protect passwords from modern hardware. See this page for more information:https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
Luckily, dotCMS's password impl allows us to up the number of hashings without much drama, and it takes effect the next time a user logs in - dotCMS will automatically re-hash the users password with the correct number of iterations. Note that it is impossible to go back and re-hash user's passwords without the user's interaction - as we need the password in the clear to be able to re-hash it.
Steps to Reproduce
Login
Acceptance Criteria
select password_ from user_ where userid='dotcms.org.1';
dotCMS Version
4.x-23.01
Proposed Objective
Security & Privacy
Proposed Priority
Priority 2 - Important
External Links... Slack Conversations, Support Tickets, Figma Designs, etc.
No response
Assumptions & Initiation Needs
No response
Sub-Tasks & Estimates
No response