search

magentos-pl / opencaching-pl

Automatically exported from code.google.com/p/opencaching-pl
0 stars 0 forks source link

Password security #179

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Current way of storing passwords is not secure. An attacker, having access to 
the database, can easily crack a substantial number of them. We need to 
implement proper salting and long-lasting hash computation.

Original issue reported on code.google.com by rygielski on 3 Dec 2014 at 2:40

GoogleCodeExporter commented 9 years ago 
moreover, while logging-in user account, password is sent witch not 
secured connection (http). This should be changed to https asap to avoid 
steal passwords.

Original comment by wloczynutka on 3 Dec 2014 at 2:54

GoogleCodeExporter commented 9 years ago 
Przy okazji zauważyłem, że aktualna funkcja generująca kody zmiany hasła 
używa uniqid, który raczej kompletnie nie nadaje się do tego celu (jego 
wynik można podobno przywidzieć, więc atakujący może zmienić hasło 
dowolnego użytkownika bez dostępu do jego konta email). Poprawię to też.

Original comment by rygielski on 3 Dec 2014 at 10:34

GoogleCodeExporter commented 9 years ago 
Zmiana jest gotowa, tylko czekam na OCRO żeby zaaplikowali ALTERy.

Original comment by rygielski on 3 Dec 2014 at 10:35

GoogleCodeExporter commented 9 years ago 
u nich i tak samoporpagujące się svn update nie wykonuje się bo ma 
konflikty..

Original comment by wloczynutka on 3 Dec 2014 at 10:44

GoogleCodeExporter commented 9 years ago 
Z tego co wiem wykonuje się, a konflikty są jakoś "automatycznie
rozwiązywane". Czyli prawdopodobnie gdybym teraz commitował, to bym
zepsuł OCRO.

Original comment by rygielski on 3 Dec 2014 at 10:55

GoogleCodeExporter commented 9 years ago 
Summary of changes.

Previous implementation used the following functions (in that order) to compute 
a hash:

1. md5, sha512

It is quite important for the new implementation to begin the hashing with the 
same set of functions. This makes it possible to add salt to existing hashes 
without knowing the correct passwords. The new algorithm will behave as follows:

2. md5, sha512, add salt, sha512
3. md5, sha512, add salt, sha512, add salt, sha512
4. md5, sha512, add salt, sha512, add salt, sha512, add salt, sha512
...

N hashing rounds will be performed and N will be stored in the database, along 
with a random salt. Once upgraded, 100000 hashing rounds will be performed with 
salt of 6 characters.

Original comment by rygielski on 4 Dec 2014 at 7:23

GoogleCodeExporter commented 9 years ago 
Regarding SSL, what would you recommend to each node: 
1) self-signed certificate 
   (user hassle to accept certificate)
2) certificate signed by CACert
   (still user hassle, because CACert is not included in browsers by default)
3) certificate signed by commercial CA
   (requires payment of anual fee)

Original comment by andrixnet on 4 Dec 2014 at 1:30

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
I've seen free cert for opensource. Can we get one? 
https://www.globalsign.com/ssl/ssl-open-source/

Original comment by wloczynutka on 4 Dec 2014 at 1:36

GoogleCodeExporter commented 9 years ago 
Please move the SSL topic to other thread :) This one is now closed!

Original comment by rygielski on 4 Dec 2014 at 2:27

GoogleCodeExporter commented 9 years ago

Original comment by rygielski on 4 Dec 2014 at 2:27