Passwords store unencrypted in database
Page: 1, 2
Recent posts in this topic
andrewCharron
on Feb 7. 2008. 1:22 pm
If that is the case, someone should maybe come up with a hack or mod for it? I am not qualified to be creating such a system myself.
Hashing passwords should --at a minimum-- be the default for an installation. I think it should be required.
From an enterprise standpoint which is worse, requiring users to reset their passwords or notifying them their passwords have been compromised?
And considering that one can reverse most simple md5, sha1 hashes it would be wise to use multiple rounds of hashing using multiple hash types. This should be done carefully so that security is not weakened. It should probably be done, again, on the client-side along with an HMAC mechanism to secure log-in's when TLS is not available.
From an enterprise standpoint which is worse, requiring users to reset their passwords or notifying them their passwords have been compromised?
And considering that one can reverse most simple md5, sha1 hashes it would be wise to use multiple rounds of hashing using multiple hash types. This should be done carefully so that security is not weakened. It should probably be done, again, on the client-side along with an HMAC mechanism to secure log-in's when TLS is not available.
I've modified the source to use the following scheme to store passwords: SHA-1(MD5(password + salt)). It only took about a dozen lines of code to wire this up. This includes support for adding new users, editing passwords, authentication and forgotten password (generates a new random password). I haven't made any changes to the DB except for hashing all current passwords in the DB. I'm storing the hashed password in the current password field.
Do know that this has the potential to break things if a new release includes a different implementation (MD5, etc). I'm a new customer and I couldn't move AC into production with the way passwords were handled before. I'd like to move to a variable salt, but for now I using predefined salt. Also, I'm not using the API so I haven't investigated what else might need to be changed in order to support this change.
If someone would like me to post the changes so they could patch their system please let me know.
Do know that this has the potential to break things if a new release includes a different implementation (MD5, etc). I'm a new customer and I couldn't move AC into production with the way passwords were handled before. I'd like to move to a variable salt, but for now I using predefined salt. Also, I'm not using the API so I haven't investigated what else might need to be changed in order to support this change.
If someone would like me to post the changes so they could patch their system please let me know.
400 LUX, LLC | 400lux.com
Ilija Studen
on Apr 5. 2008. 10:06 am
This issue is covered in the latest activeCollab builds (check out activeCollab 1.1 beta, for testing only).
activeCollab team member
