Passwords are not seeded
------------------------ Key: OFBIZ-1151 URL: https://issues.apache.org/jira/browse/OFBIZ-1151 Project: OFBiz Issue Type: Improvement Components: party Affects Versions: SVN trunk, Release Branch 4.0 Reporter: Wickersheimer Jeremy Priority: Minor Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513168 ] Jacques Le Roux commented on OFBIZ-1151: ---------------------------------------- Jeremy, Did you notice that they use a one way only encryption (ie no decryption is normaly possible, of couse even the better encryption algorithms known so far have been cracked)? If I remember well SHA-1 is used : http://en.wikipedia.org/wiki/SHA-1 This may also interest you : http://www.nabble.com/How-do-I-decrypt-passwords--tf3081869.html#a8562707 > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513173 ] Guido Amarilla commented on OFBIZ-1151: --------------------------------------- Jeremy Are you talking about adding a salt to the password? Ref: http://en.wikipedia.org/wiki/Salt_(cryptography) In this case it would increase security, but the seed data passwords would become invalid. It would be even safer for each implementation if you keep this salt secret. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513172 ] Wickersheimer Jeremy commented on OFBIZ-1151: --------------------------------------------- Seeding passwords is not related to the strength of the hashing algorithm, having the seed + hash is equally easy as having the hash because it is in the same place. It is critical to protect those hashes from dictionary attacks by attackers who obtained those hashes. ... like anyone using the webtool could do. Passwords should be protected as much as possible because it is very likely that a user password would be the same for other applications (Windows auth, emails, ...) > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ] Wickersheimer Jeremy commented on OFBIZ-1151: --------------------------------------------- PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done. The modification would be trivial really. - When you store a password you generate a random salt - Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)" When you check a password, you just need to readd the salt before hashing and comparing to the DB. You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12513177 ] Wickersheimer Jeremy edited comment on OFBIZ-1151 at 7/17/07 1:05 AM: ---------------------------------------------------------------------- Yes, The nabble link is the problem exactly. Someone proposed to salt the passwords which is what should be done. The modification would be trivial really. - When you store a password you generate a random salt - Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)" When you check a password, you just need to readd the salt before hashing and comparing to the DB. You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size. was: PS: the second link is the problem exactly. Someone proposed to salt the passwords which is what should be done. The modification would be trivial really. - When you store a password you generate a random salt - Then you store in the DB two fields : the "salt" (hash of a randow string), and the "hashed(salt+password)" When you check a password, you just need to readd the salt before hashing and comparing to the DB. You can also concatenate the salt and hashed(salt+pass) in one field because both have predefined size. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-1151: -------------------------------------- Assignee: Jacques Le Roux > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535963 ] Jacques Le Roux commented on OFBIZ-1151: ---------------------------------------- I agree that salting could be a solution for dictionnary attacks. But why not replace the crypting algorithm by a newer and safer one (RIPEMD-160, SHA-256, Whirlpool, etc. ) my preference being SHA-256 ? It think it's easier, isn'it ? > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535968 ] Jacques Le Roux commented on OFBIZ-1151: ---------------------------------------- Just a link, not cheked : http://islab.oregonstate.edu/koc/ece575/03Project/Mundle/ > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536091 ] Wickersheimer Jeremy commented on OFBIZ-1151: --------------------------------------------- Replacing the algorithm won't change anything to the problem, and adding a salt is not difficult at all. If i have some time i will try to work on it. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536099 ] Jonathon Wong commented on OFBIZ-1151: -------------------------------------- > Replacing the algorithm won't change anything to the problem, and adding a > salt is not difficult at all. If i have some time i will try to work on it. I agree. SHA-256 is just as concrete a 1-way hash algo as MD5. Hashing a certain string will still always predictably produce a certain hash result, so hackers can easily work backwards to get the password. The common practice (for a very long time now) is to salt it. In fact, financial institutions even store the salt somewhere else, somewhere really safe. > It is critical to protect those hashes from dictionary attacks by attackers > who obtained those hashes. ... like anyone using the webtool could do. But wouldn't webtool also yield the salt as well? But still, I agree that salting the password would make dictionary attacks exponentially arduous. For a certain password, it is stored differently (thanks to random salt) in each instance where it is stored (say 2 or more users happen to like the same password). Therefore, for each hash stored in the database, an attack would have to do additional computation (dictionary attack has to be completely recoded, actually). For common needs, salting will adequately make dictionary attacks expensive (or impossible). It is incredibly easy to do dictionary attacks on un-salted password hashes. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536103 ] Jonathon Wong commented on OFBIZ-1151: -------------------------------------- Guido, > In this case it would increase security, but the seed data passwords would > become invalid. The password hashes will certainly need to be recomputed if the new implementation adds a salt. In fact, to make brute force attacks even more expensive, the salt can be changed often (say every time the password hash is accessed) and the password hash recomputed. If it might take 24 hours for a super-computer to compute the password from a password hash and its salt, the salt could be changed every 23 hours. The ability to keep the salt secret in a strong and secure box will certainly be good. Not very cheap, though. Depends on how strong and how secure the salt box is. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542844 ] Michael Jensen commented on OFBIZ-1151: --------------------------------------- Is anyone working on this already? I'd like to help out with it. I'm kind of a hack w/ofbiz, so I'd need a little direction/mentoring on how to create an acceptable patch for the project. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
couple of things to remember
1) for creation of employees they like to use a password they will remember. 2) when sending a new customer notification it should come back to a link that lets them change the password. 3) products lets you define a default password. so add an option to have it auto created. there are a couple of places the hard coded passwords are. Michael Jensen (JIRA) sent the following on 11/15/2007 10:52 AM: > [ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542844 ] > > Michael Jensen commented on OFBIZ-1151: > --------------------------------------- > > Is anyone working on this already? > I'd like to help out with it. I'm kind of a hack w/ofbiz, so I'd need a little direction/mentoring on how to create an acceptable patch for the project. > > >> Passwords are not seeded >> ------------------------ >> >> Key: OFBIZ-1151 >> URL: https://issues.apache.org/jira/browse/OFBIZ-1151 >> Project: OFBiz >> Issue Type: Improvement >> Components: party >> Affects Versions: SVN trunk, Release Branch 4.0 >> Reporter: Wickersheimer Jeremy >> Assignee: Jacques Le Roux >> Priority: Minor >> >> Password are currently hashed but not seeded which may be a security issue. > |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542871 ] BJ Freeman commented on OFBIZ-1151: ----------------------------------- couple of things to remember 1) for creation of employees they like to use a password they will remember. 2) when sending a new customer notification it should come back to a link that lets them change the password. 3) products lets you define a default password. so add an option to have it auto created. there are a couple of places the hard coded passwords are. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542935 ] Wickersheimer Jeremy commented on OFBIZ-1151: --------------------------------------------- Hi, I am not working on it but i can help you if you need information. -- WICKERSHEIMER Jérémy > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542940 ] Jonathon Wong commented on OFBIZ-1151: -------------------------------------- BJ said: > for creation of employees they like to use a password they will remember. For the sake of easy migration, we could add a temporary field beside each password, say "isRehashed" (boolean). If "isRehased" is false, process incoming password with the old codes without salt, and then rehash it with salt, and then set "isRehashed" to true. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542952 ] Michael Jensen commented on OFBIZ-1151: --------------------------------------- One option is to use the same field for the hash, but adding a colon and the salt to the end of the string. This is the way it would be easy to distinguished between salted and non-salted passwords and validate accordingly. I've seen a few projects that store password hashes this way. The Linux /etc/shadow file also stores the hash and salt in one field (but that doesn't mean it is best for this situation.) An alternative could be to just have the salt stored in another field in the same table and if it isn't empty, the password hash is salted. (You have to store the salt somewhere anyway.) > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12542977 ] Jonathon Wong commented on OFBIZ-1151: -------------------------------------- Oh yes! That will do away with the need for a new entity field like "isRehashed". I would like the salt to be appended to the password hash after a ":", so we don't need to create a new entity field for the salt. The ':' character doesn't appear in a password hash. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12549776 ] Jacques Le Roux commented on OFBIZ-1151: ---------------------------------------- I will create soon a general task for security issues. All current pending security issues will be children of this new task. > Passwords are not seeded > ------------------------ > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Improvement > Components: party > Affects Versions: SVN trunk, Release Branch 4.0 > Reporter: Wickersheimer Jeremy > Assignee: Jacques Le Roux > Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
Free forum by Nabble | Edit this page |