View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000274 | WackoWiki | security | public | 2009-03-02 21:24 | 2011-05-31 21:24 |
| Reporter | administrator | Assigned To | administrator | ||
| Priority | normal | Severity | feature | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.2 | ||||
| Target Version | 5.0.beta | Fixed in Version | 5.0.beta | ||
| Summary | 0000274: Implement secure/salted hashing algorithm for passwords | ||||
| Description | upgrade the authentication system to use SHA1 or better hashing for passwords, with a randomized salt for each user's hash. Login-time rehashing of user's passwords should be supported to accommodate old user accounts. | ||||
| Tags | No tags attached. | ||||
| related to | 0000357 | resolved | administrator | Use SHA256 for passwords as default |
|
|
i'm itchy to try resolve this - but i cant promise a timeplan |
|
|
At login.php 0000045 line // this variable should go to config.php $OLD_LOGIN=0; // internal variable $CHECK_LOGIN=0; // in php sha1 returns a 40char string if ( $existingUser["password"] == substr(sha1( $_POST["password"] ), 0, 32) ) $CHECK_LOGIN=1; elseif ( $OLD_LOGIN && ( $existingUser["password"] == md5( $_POST["password"] ) ) ) { // update database with the sha1 password for future logins $this->Query("UPDATE ".$this->config["table_prefix"]."users SET password = SHA1( '".$_POST["password"]."' ) WHERE name = '".$_POST["name"]."'"); $CHECK_LOGIN=1; } if ( $CHECK_LOGIN ) { $this->LogUserIn($existingUser); $this->SetUser($existingUser); $this->SetBookmarks(BM_USER); $this->context[++$this->current_context] = ""; if ($_REQUEST["goback"] != "") $this->Redirect($this->Href("", stripslashes($_REQUEST["goback"]), "cache=".rand(0,1000))); $this->Redirect($this->href()); } else { $error = $this->GetResourceValue("WrongPassword"); $name = $_POST["name"]; $focus = 1; } If you like this hack, i can proceed to make all the necessaries changes for sha1 logins/registrations/installation etc. I hope my code is clean and straight forward for future maintenance. |
|
|
That looks rather good to me, makes it really simple to add a new database column later to support the full 40 char string. |
|
|
a) add a new login method (e.g. SHA1) b) allow for existing installations to move to it. This means that the code will upgrade existing users from MD5 (or whatever it is) to SHA1 as the users login. |
|
|
rev1083 - altered field size for 'password' to VARCHAR(40) Use SHA1 for passwords as default - http://wackowiki.hg.sourceforge.net/hgweb/wackowiki/stable/rev/d68f6b3518ce |
|
|
http://wackowiki.hg.sourceforge.net/hgweb/wackowiki/stable/rev/2f7fb82350d9 [^] pls. test the new salted password - guess 4 digits are enough but we can made the salt strength a config value |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2009-03-02 21:24 | administrator | New Issue | |
| 2009-03-03 08:29 | ebal | Note Added: 0000586 | |
| 2009-03-04 12:36 | ebal | Status | new => assigned |
| 2009-03-04 12:36 | ebal | Assigned To | => ebal |
| 2009-03-04 13:02 | ebal | Note Added: 0000587 | |
| 2009-11-02 19:04 | administrator | Target Version | => 5.0.0 |
| 2009-11-03 08:58 | administrator | Note Added: 0000724 | |
| 2010-02-18 16:13 | administrator | Note Added: 0000741 | |
| 2010-03-08 10:22 | administrator | Category | Security => security |
| 2010-03-18 19:23 | administrator | Note Edited: 0000741 | |
| 2010-03-18 20:01 | administrator | Relationship added | related to 0000357 |
| 2010-03-31 09:59 | administrator | Note Added: 0000756 | |
| 2010-04-05 17:29 | administrator | Assigned To | ebal => administrator |
| 2010-04-05 17:29 | administrator | Status | assigned => resolved |
| 2010-04-05 17:29 | administrator | Resolution | open => fixed |
| 2010-04-05 17:29 | administrator | Fixed in Version | => 5.0.beta |
| 2010-04-05 17:29 | administrator | Target Version | 5.0.0 => 5.0.beta |
| 2011-05-31 21:24 | administrator | Build | => R5.0.beta |
