Closed
Bug 563369
Opened 14 years ago
Closed 14 years ago
Enhance Password Storage to Use SHA256 and Per User Salt for MySQL Backend
Categories
(Cloud Services Graveyard :: Server: Sync, defect)
Cloud Services Graveyard
Server: Sync
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 546556
People
(Reporter: mcoates, Assigned: telliott)
Details
Issue Authentication configured to use a MySQL backend is currently designed to store the user's password as a MD5 hash. The md5 algorithm contains known weaknesses and does not provide adequate protection of the user's credential. Note: This is only a concern if a deployment uses this authentication approach. Recommended Solution Use SHA256 hashing algorithm with a per user salt. This approach will leverage a strong hashing algorithm and also integrate a per user salt to prevent rainbow table (e.g. time memory trade off) attacks against the password hashes if they were compromised. Additional Information: https://intranet.mozilla.org/Security/Secure_Coding_Guidelines#Password_Storage Source: http://hg.mozilla.org/labs/weaveserver/file/87bbb4958df8/server/sync/1.0/weave_authentication.php#l165
Comment 1•14 years ago
|
||
Dupe of bug 546556?
Comment 2•14 years ago
|
||
Yes. Michael, labs/weaveserver is not current, http://hg.mozilla.org/labs/weaveserver-registration/ and http://hg.mozilla.org/labs/weaveserver-sync/ are what you should be auditing... /weaveserver is obsolete... maybe we should rename it.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 3•14 years ago
|
||
Ah, glad this came up then :) So those two links contain all the code?
Assignee | ||
Comment 4•14 years ago
|
||
Mostly. There's a set of new securer auth services in http://hg.mozilla.org/labs/weaveserver-registration-secure (basically, moving high-powered passwords off the webhead) and some admin utils, etc in http://hg.mozilla.org/labs/weaveserver-misc
Updated•1 year ago
|
Product: Cloud Services → Cloud Services Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•