Ticket #1030 (new Feature Request)

Opened 8 years ago

Last modified 8 years ago

increase the password security by adding a per server salt to the config

Reported by: JuergeN Owned by: jri
Priority: Major Milestone: Release 4.8.4
Component: DeepaMehta Standard Distribution Version: 4.8.3
Keywords: Cc:
Complexity: 3 Area: Robustness
Module:

Description

As administrator I want to be able to add a 'salt' to the config file of each server installation, that is used when the password is generated.

Change History

comment:1 Changed 8 years ago by jri

DM does not generate any passwords.
So what do you mean?

comment:2 Changed 8 years ago by jri

When creating a user account DM calculates a SHA-256 hash from the password before storing it in the DB.
Do you mean DM should append a salt to the password before calculating the hash?
This means we must store the salt along with every hash in the DB, right?
(Otherwise DM can't check the password the user enters in the login dialog.)
Or should the salt be the same for all user accounts and be kept in a config file?

comment:4 in reply to: ↑ 3 Changed 8 years ago by JuergeN

Replying to jri:

From what I understand, in DM the user enters a password which is then hashed at the client side before it is stored in the backend. Hashing the password at the client side is a good starting point, but to my understanding a bad idea, if this is the only action to protect the user account.

My suggestion would be to store a server specific salt in a config file at the server side and to add an individual random salt per user which is stored in the database for each user. The user's password will still be hashed once the client side. To make the hash of a very weak or very short password a little bit more secure before hashing, we could prefix it with the hashed username. Then this hash will be rehashed at the server side together with a per user random salt and the server side fixed salt prepended.

As a result one cannot find out a user's password if any of the components is missing. Even if you have the database but not the server side fixed salt (e.g. from a database backup), you still cannot find out the user's password.

You might also want to read these informative articles on the issue:
https://crackstation.net/hashing-security.htm
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Last edited 8 years ago by JuergeN (previous) (diff)
Note: See TracTickets for help on using tickets.