search

resonatecoop / id-server-template

Resonate Coop ID Server
Mozilla Public License 2.0
3 stars 3 forks source link

Ensure password hash validation is working and secure as can be #10

Open angusmcleod opened 3 years ago

angusmcleod commented 3 years ago

A key piece of the data migration is to ensure that password hashes created in Wordpress still function as expected in the new architechture. There is existing handling for this here: password.go, i.e. it first attempts to validate the hash using bcrypt, and then attempts an MD5 (Wordpress). I want to be sure

  1. It's working for all passwords, whether created in Wordpress or via the ID server app
  2. That it's secure as it can be (granted that Wordpress passwords are not particularly secure)

@auggod Do you have any concerns about the password hash validation logic you've added in the linked file? Any potential issues we should be aware of?

auggod commented 3 years ago

We need to deprecate this phpass thing. For the migration, I would request existing users to create a new password (bcrypt only) We could validate existing password but anyway we also need to do email validations again.

It would be great if someone could review this piece: https://github.com/resonatecoop/id/blob/develop/oauth/email_token.go

auggod commented 3 years ago

We may have compat problems between this phpass function and the wordpress passwords.

David-Chadwick commented 3 years ago

One possible way forward is to introduce a new password policy (e.g. min 8 chars, mixture of upper lower number and special at least one of each) so that when everyone logs in for the first time to the new system you make them create a new password that fits the rules (can be the same as their old one, dont bother checking). You do this by asking them to click the reset pw link that emails them a secure URL to click on, valid for 10 minutes, and puts up a new PW screen. Then you will be sure that everyone is using the new system and you wont need to bother about compatibility with the old passwords

angusmcleod commented 3 years ago

@auggod Our plan is to

  1. Remove WP pwd validation entirely

  2. When a user attempts to log in, we check the last password changed date, if this is before July 15, then we don't authenticate. We show the message:

    Your password has expired. We've sent you an email with instructions on how to set your new password.

  3. We send a password reset email (existing forgot password mechanism)

  4. User must reset their password before logging in