Closed Bug 563369 Opened 14 years ago Closed 14 years ago

Enhance Password Storage to Use SHA256 and Per User Salt for MySQL Backend

Categories

(Cloud Services Graveyard :: Server: Sync, defect)

Product:
Cloud Services Graveyard
Component:
Server: Sync
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 546556

People

(Reporter: mcoates, Assigned: telliott)

Details

Issue

Authentication configured to use a MySQL backend is currently designed to store the user's password as a MD5 hash.  The md5 algorithm contains known weaknesses and does not provide adequate protection of the user's credential.

Note: This is only a concern if a deployment uses this authentication approach.

Recommended Solution

Use SHA256 hashing algorithm with a per user salt.  This approach will leverage a strong hashing algorithm and also integrate a per user salt to prevent rainbow table (e.g. time memory trade off) attacks against the password hashes if they were compromised.

Additional Information:
https://intranet.mozilla.org/Security/Secure_Coding_Guidelines#Password_Storage

Source:
http://hg.mozilla.org/labs/weaveserver/file/87bbb4958df8/server/sync/1.0/weave_authentication.php#l165
Dupe of bug 546556?
Yes.

Michael, labs/weaveserver is not current, http://hg.mozilla.org/labs/weaveserver-registration/ and http://hg.mozilla.org/labs/weaveserver-sync/ are what you should be auditing... /weaveserver is obsolete... maybe we should rename it.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Ah, glad this came up then :)

So those two links contain all the code?
Mostly. There's a set of new securer auth services in http://hg.mozilla.org/labs/weaveserver-registration-secure (basically, moving high-powered passwords off the webhead) and some admin utils, etc in http://hg.mozilla.org/labs/weaveserver-misc
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.