aC forum: Passwords store unencrypted in database

Post #14 by Ilija Studen

Ilija Studen — Sat, 05 Apr 2008 15:06:37 UTC

This issue is covered in the latest activeCollab builds (check out activeCollab 1.1 beta, for testing only).

Post #13 by mleebert

mleebert — Fri, 14 Mar 2008 22:59:51 UTC

I've modified the source to use the following scheme to store passwords: SHA-1(MD5(password + salt)). It only took about a dozen lines of code to wire this up. This includes support for adding new users, editing passwords, authentication and forgotten password (generates a new random password). I haven't made any changes to the DB except for hashing all current passwords in the DB. I'm storing the hashed password in the current password field.

Do know that this has the potential to break things if a new release includes a different implementation (MD5, etc). I'm a new customer and I couldn't move AC into production with the way passwords were handled before. I'd like to move to a variable salt, but for now I using predefined salt. Also, I'm not using the API so I haven't investigated what else might need to be changed in order to support this change.

If someone would like me to post the changes so they could patch their system please let me know.

Post #12 by user2037

user2037 — Mon, 10 Mar 2008 12:03:27 UTC

Hashing passwords should --at a minimum-- be the default for an installation. I think it should be required.

From an enterprise standpoint which is worse, requiring users to reset their passwords or notifying them their passwords have been compromised?

And considering that one can reverse most simple md5, sha1 hashes it would be wise to use multiple rounds of hashing using multiple hash types. This should be done carefully so that security is not weakened. It should probably be done, again, on the client-side along with an HMAC mechanism to secure log-in's when TLS is not available.

Post #11 by andrewCharron

andrewCharron — Thu, 07 Feb 2008 19:22:28 UTC

If that is the case, someone should maybe come up with a hack or mod for it? I am not qualified to be creating such a system myself.

Post #10 by sflowers

sflowers — Thu, 07 Feb 2008 18:16:15 UTC

Pretty easy fix actually, an MD5 hash should be sufficient to lock out any prying eyes. It complicates things when moving data between systems, but its not insurmountable.

Post #9 by Davor

Davor — Thu, 07 Feb 2008 09:51:56 UTC

andrewCharron:
No one should ever be able to see someone elses password for any reason. There is no justifying it. This security risk is large, and I can see my employer having a large problem with this. I will have to inform them, and could lead to a refund since we're within the 30 day trial. I need some assurance that this can be fixed, through confirmation that it is in 1.1, a bug fix, hot fix, or hack.

I second that. We are using aC for managing a security research project. We already know now that they will try to hack us, as a sport. This is the way it goes with these kinds of projects. This should really be fixed asap, in 1.1.

Post #8 by Ilija Studen

Ilija Studen — Thu, 07 Feb 2008 01:36:23 UTC

RSDi:
Ilija: what, if anything, do the AC devs plan on doing about this?

We'll see what we can do about this but there is no solid plan at this point.

Post #7 by RSDi

RSDi — Wed, 06 Feb 2008 20:21:19 UTC

I agree fully with andrewCharron. My company just started our trial of activeCollab. We cannot allow a security risk such as this to exist in the app if we continue to use it. Ilija: what, if anything, do the AC devs plan on doing about this?

Post #6 by andrewCharron

andrewCharron — Wed, 06 Feb 2008 19:55:28 UTC

Yes, they have the access to change THIS database, but what of the users who use the same password for multiple site/uses? The hacker now has their email and potential password, and may be able to get into their private email, and through that anything they receive notifications for (Banking, Paypal, etc) and use the same password. Also, what about an employee who has access to the database for admin purposes. Say this admin gets fired. He knows everyones password had he ever looked into the database, and can use that against the company.

No one should ever be able to see someone elses password for any reason. There is no justifying it. This security risk is large, and I can see my employer having a large problem with this. I will have to inform them, and could lead to a refund since we're within the 30 day trial. I need some assurance that this can be fixed, through confirmation that it is in 1.1, a bug fix, hot fix, or hack.

Post #5 by Oliver Maksimović

Oliver Maksimović — Wed, 06 Feb 2008 19:18:29 UTC

Well, on the other hand: if someone gets your database, then it does not matter if your passwords are encrypted or not - the attacker already has everything.

P.S. Don't get me wrong because I'm not defending or accusing anyone here, it's just that I want to bring out another point of view :)