search

halalaninitiative / halalan

Free and open-source voting system
Other
7 stars 13 forks source link

Hashing the hashed password on the client #55

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Since there's no way to change the admin's password after installation
(aside from manually digging to mysql) so i save the password using the
browsers (Camino) remember credential feature.
2. Before the password is being sent to the gate controller, it is being
hashed using the javascript implementation so what is being save on the
browser is the hashed version. So the next time I try to login the hashed
password is already on the password field and when I click the login
button, the hashed value is being hashed again and so I wasn't able to login.

What version of the product are you using? On what operating system?
Running the latest release under osx86

Please provide any additional information below.

Unless theres a good reason on hashing the password on the client side, I
think hashing the password only on the controller will be a good idea.

I think adding an admin *RU* on the administration section will be a good
idea too.

Original issue reported on code.google.com by caket...@gmail.com on 26 Aug 2008 at 9:05

GoogleCodeExporter commented 9 years ago 
Ah yes.  This is a bug.  But since we will change the way password hashing is 
done,
I'm not yet sure if the client-side hashing would still remain.

We implemented a client-side hashing so that the password being sent through an
unencrypted network is not plain.

Original comment by waldemar...@gmail.com on 26 Aug 2008 at 1:16

GoogleCodeExporter commented 9 years ago 
Ah ic, I'll be looking forward to the new hashing...

Original comment by caket...@gmail.com on 27 Aug 2008 at 2:34

GoogleCodeExporter commented 9 years ago 
How about we make this optional so that deployments which use SSL can turn-off
client-side hashing?

Original comment by djclue...@gmail.com on 4 Feb 2009 at 2:44

GoogleCodeExporter commented 9 years ago 
I agree.  Will make this an option during the installation.

Original comment by waldemar...@gmail.com on 17 Feb 2009 at 3:12

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 17 Mar 2009 at 5:59

GoogleCodeExporter commented 9 years ago

Original comment by waldemar...@gmail.com on 17 Mar 2009 at 5:59

GoogleCodeExporter commented 9 years ago 
Hashing of password in the client-side will be removed.  Use of HTTPS is 
recommended instead of client-side hashing.  Also see issue53.

Original comment by waldemar...@gmail.com on 16 Jun 2010 at 7:02

GoogleCodeExporter commented 9 years ago

Original comment by aicapa...@gmail.com on 19 Jun 2010 at 2:17