security issue: Plain text passwords

[Gallimathias]

I noticed that the passwords are in plain text in the database.

Sending people a password Base64 encoded unencrypted over the line as well as saving it without hashing and salting is a disaster nowadays.

The bad thing is that you talk about hashing in the documentary, but don't hash.

Please use salting and hashing as soon as possible. Best to use SHA256 or SHA512

[manup]

In future versions we will get rid of passwords (especially default passwords) entirely.

Every RaspBee and ConBee module contains a unique set of cryptographic keys which will be used to implement challenge based authentication and apikey creation.

Work on this is already startet since a while and will be finished 2019:

https://github.com/dresden-elektronik/deconz-rest-plugin/blob/master/rest_configuration.cpp#L1177

However it is a tricky ui problem with legacy devices. Since 2013 we have a huge install base in the field, which first need to be upgraded to support the crypto api. We are exploring various ideas to provide a solution and a clean upgrade path.

https://github.com/dresden-elektronik/deconz-rest-plugin/blob/master/authentification.cpp

The bad thing is that you talk about hashing in the documentary, but don't hash. Please use salting and hashing as soon as possible. Best to use SHA256 or SHA512

The password is stored salted and hashed in the database using the posix crypt() function (Linux only).

However you're right that the transfer between browser and deCONZ just uses base64 encoded version. This will be fixed once the mentioned new crypto api will be finished.

[Frescha]

Hi, Is there anything new on this topic? I happened to see during a debugging via Wireshark that the user credentials are more or less transmitted as "plain text". As described in the initial post from @Gallimathias , the password is still only encoded with Base64 and thus transmitted unencrypted. Bump: @manup