Use bcrypt instead of SHA2-512. The SHA2 in this setup is insecure.

ether / ep_hash_auth

Etherpad plugin that allows the usage of hash values for authentoication in settings.json

Apache License 2.0

5 stars 10 forks source link

Use bcrypt instead of SHA2-512. The SHA2 in this setup is insecure. #1

Closed ypid closed 8 years ago

ypid commented 8 years ago

SHA2 with one round for storing passwords is anything but secure these days. Bcrypt seems to be the better option.

@LaKing Thanks for putting up the git repo for it :+1:

LaKing commented 8 years ago

IMO we shouldnt "switch" to bcrypt, but extend ep_hash_auth to be abble to use bcrypt. I can't merge this at the moment as the SHA2 crypt is removed, and that would break many installations on the updates.

I suggest to allow bcrypt as hash_typ parameter, or eventually implement a hash_lib settings.json argument if that is easier, ...

@ypid do you want to fix that? I'm kind of busy these days ... .) ... if not, I will fix that at a later time.

ypid commented 8 years ago

Sound good. I recommend to switch to bcrypt by default (security be default). Can you test this?

I my test setting I currently get Failed to load 'ep_hash_auth/index:authenticate' for 'ep_hash_auth/ep_hash_auth/hooks/authenticate': Error: Cannot find module 'ep_etherpad-lite/node/utils/Settings' no idea why.

LaKing commented 8 years ago

Tested and integrated after a rewrite.