Enhance Password Storage to Use SHA256 and Per User Salt for MySQL Backend

RESOLVED DUPLICATE of bug 546556

Status

Cloud Services
Server: Sync
--
major
RESOLVED DUPLICATE of bug 546556
8 years ago
8 years ago

People

(Reporter: mcoates, Assigned: telliott)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Issue

Authentication configured to use a MySQL backend is currently designed to store the user's password as a MD5 hash.  The md5 algorithm contains known weaknesses and does not provide adequate protection of the user's credential.

Note: This is only a concern if a deployment uses this authentication approach.

Recommended Solution

Use SHA256 hashing algorithm with a per user salt.  This approach will leverage a strong hashing algorithm and also integrate a per user salt to prevent rainbow table (e.g. time memory trade off) attacks against the password hashes if they were compromised.

Additional Information:
https://intranet.mozilla.org/Security/Secure_Coding_Guidelines#Password_Storage

Source:
http://hg.mozilla.org/labs/weaveserver/file/87bbb4958df8/server/sync/1.0/weave_authentication.php#l165
Dupe of bug 546556?
Yes.

Michael, labs/weaveserver is not current, http://hg.mozilla.org/labs/weaveserver-registration/ and http://hg.mozilla.org/labs/weaveserver-sync/ are what you should be auditing... /weaveserver is obsolete... maybe we should rename it.
No longer blocks: 563371
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 546556
Ah, glad this came up then :)

So those two links contain all the code?
(Assignee)

Comment 4

8 years ago
Mostly. There's a set of new securer auth services in http://hg.mozilla.org/labs/weaveserver-registration-secure (basically, moving high-powered passwords off the webhead) and some admin utils, etc in http://hg.mozilla.org/labs/weaveserver-misc
You need to log in before you can comment on or make changes to this bug.