rmyers / webapp-improved

Automatically exported from code.google.com/p/webapp-improved
Other
0 stars 0 forks source link

Insecure password hash function #81

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?

call webapp2_extras.security.generate_password_hash() without specifying a 
method:
http://webapp-improved.appspot.com/_modules/webapp2_extras/security.html#generat
e_password_hash

What is the expected output? What do you see instead?
I expect to store passwords using a secure hash function.  Instead I see a 
system defaulting to SHA1.   SHA1 is a broken hash function that is now two 
generations old,  we have SHA3!

webapp2,  and anyone using this password storage method is vulnerable to 
CWE-916: Use of Password Hash With Insufficient Computational Effort:

http://cwe.mitre.org/data/definitions/916.html

What version of the product are you using? On what operating system?

Google appenigne v1.8.0

Please provide any additional information below.

You should be using bcrypt, scrypt, or bpkdf2.   Bcrypt is probably the best 
choice:
http://security.stackexchange.com/questions/4781/do-any-security-experts-recomme
nd-bcrypt-for-password-storage/6415

Original issue reported on code.google.com by firealwa...@gmail.com on 29 May 2013 at 9:59