Issue Authentication configured to use a MySQL backend is currently designed to store the user's password as a MD5 hash. The md5 algorithm contains known weaknesses and does not provide adequate protection of the user's credential. Note: This is only a concern if a deployment uses this authentication approach. Recommended Solution Use SHA256 hashing algorithm with a per user salt. This approach will leverage a strong hashing algorithm and also integrate a per user salt to prevent rainbow table (e.g. time memory trade off) attacks against the password hashes if they were compromised. Additional Information: https://intranet.mozilla.org/Security/Secure_Coding_Guidelines#Password_Storage Source: http://hg.mozilla.org/labs/weaveserver/file/87bbb4958df8/server/sync/1.0/weave_authentication.php#l165
Dupe of bug 546556?
Yes. Michael, labs/weaveserver is not current, http://hg.mozilla.org/labs/weaveserver-registration/ and http://hg.mozilla.org/labs/weaveserver-sync/ are what you should be auditing... /weaveserver is obsolete... maybe we should rename it.
No longer blocks: 563371
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 546556
Ah, glad this came up then :) So those two links contain all the code?
Mostly. There's a set of new securer auth services in http://hg.mozilla.org/labs/weaveserver-registration-secure (basically, moving high-powered passwords off the webhead) and some admin utils, etc in http://hg.mozilla.org/labs/weaveserver-misc
You need to log in before you can comment on or make changes to this bug.