Closed Bug 578097 Opened 14 years ago Closed 14 years ago

Enhance CEF Logging for Failed Login to Provide Hash of Wrong Password

Categories

(Cloud Services Graveyard :: Server: Sync, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 570410

People

(Reporter: mcoates, Assigned: telliott)

Details

Update the failed login (auth failed) detection points to also provide a salted hash of the provided password. This will allow security to review the provided hash and determine if the same incorrect password is being repeatedly used or if the attacker is attempting multiple passwords (e.g. brute force attack). A few important design notes: 1. Use the same strong hashing algorithm we are using for normal pass storage. 2. Use a salt in the pass hash process but this salt must be different than the salt used for our normal stored passwords. 3. Use the same static salt for all pass hashes provided via this detection point. This way password "whatever" will show up as the same hash in our security logs each time.
Flags: blocking-fx-sync1.4?
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
just to make sure I have this clear - you want us to use a single salt to hash all of the passwords?
The approach described in bug 570410 is better. Disregard the notes above on salting. I'll add some notes to the other bug.
(In reply to comment #2) > just to make sure I have this clear - you want us to use a single salt to hash > all of the passwords? I dearly hope not.
Flags: blocking-fx-sync1.4?
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.