Closed
Bug 578097
Opened 14 years ago
Closed 14 years ago
Enhance CEF Logging for Failed Login to Provide Hash of Wrong Password
Categories
(Cloud Services Graveyard :: Server: Sync, defect)
Cloud Services Graveyard
Server: Sync
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 570410
People
(Reporter: mcoates, Assigned: telliott)
Details
Update the failed login (auth failed) detection points to also provide a salted hash of the provided password. This will allow security to review the provided hash and determine if the same incorrect password is being repeatedly used or if the attacker is attempting multiple passwords (e.g. brute force attack).
A few important design notes:
1. Use the same strong hashing algorithm we are using for normal pass storage.
2. Use a salt in the pass hash process but this salt must be different than the salt used for our normal stored passwords.
3. Use the same static salt for all pass hashes provided via this detection point. This way password "whatever" will show up as the same hash in our security logs each time.
Flags: blocking-fx-sync1.4?
Reporter | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Comment 2•14 years ago
|
||
just to make sure I have this clear - you want us to use a single salt to hash all of the passwords?
Reporter | ||
Comment 3•14 years ago
|
||
The approach described in bug 570410 is better. Disregard the notes above on salting. I'll add some notes to the other bug.
Comment 4•14 years ago
|
||
(In reply to comment #2)
> just to make sure I have this clear - you want us to use a single salt to hash
> all of the passwords?
I dearly hope not.
Updated•14 years ago
|
Flags: blocking-fx-sync1.4?
Updated•2 years ago
|
Product: Cloud Services → Cloud Services Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•