search

mrasirkhan / Automatix-Framework

0 stars 1 forks source link

Issue with password hashing without a salt #2

Open luchua-bc opened 3 years ago

luchua-bc commented 3 years ago

Hi @mrasirkhan ,

Thanks for sharing the repository and it's a nice one.

I noticed one issue - the following program hashes then stores passwords without a salt:

The code is:

       public static String genaratePassword(String password) {
               String generatedPassword = null;
       try {
               // Create MessageDigest instance for MD5
                           MessageDigest md;                                   
                                       md = MessageDigest.getInstance("MD5");

                           //Add password bytes to digest
                           md.update(password.getBytes());
                           //Get the hash's bytes 
                           byte[] bytes = md.digest();
                           //This bytes[] has bytes in decimal format;
                           //Convert it to hexadecimal format
                           StringBuilder sb = new StringBuilder();
                           for(int i=0; i< bytes.length ;i++)
                           {
                               sb.append(Integer.toString((bytes[i] & 0xff) + 0x100, 16).substring(1));
                           }

                           //Get complete hashed password in hex format
                           generatedPassword = sb.toString();
               } catch (NoSuchAlgorithmException e) {
                       // TODO Auto-generated catch block
                       e.printStackTrace();
               }       
       return generatedPassword;
       }

MD5 is considered obsolete and unsafe for a long time. And hashed passwords without a salt are vulnerable to dictionary attacks. This type of vulnerabilities is categorized as CWE-759: Use of a One-Way Hash without a Salt. I've submitted a Pull Request with the modified code adding a random salt to the SHA256 hash. Please consider to merge the PR.

Thanks, @luchua-bc

luchua-bc commented 3 years ago

Any update on the request? Thanks.