View Issue Details

IDProjectCategoryView StatusLast Update
0000274WackoWikisecuritypublic2011-05-31 21:24
Reporteradministrator Assigned Toadministrator  
PrioritynormalSeverityfeatureReproducibilityN/A
Status resolvedResolutionfixed 
Product Version4.2 
Target Version5.0.betaFixed in Version5.0.beta 
Summary0000274: Implement secure/salted hashing algorithm for passwords
Descriptionupgrade the authentication system to use SHA1 or better hashing for passwords, with a randomized salt for each user's hash. Login-time rehashing of user's passwords should be supported to accommodate old user accounts.
TagsNo tags attached.

Relationships

related to 0000357 resolvedadministrator Use SHA256 for passwords as default 

Activities

ebal

2009-03-03 08:29

developer   ~0000586

i'm itchy to try resolve this - but i cant promise a timeplan

ebal

2009-03-04 13:02

developer   ~0000587

At login.php 0000045 line

// this variable should go to config.php
$OLD_LOGIN=0;

// internal variable
$CHECK_LOGIN=0;

// in php sha1 returns a 40char string
if ( $existingUser["password"] == substr(sha1( $_POST["password"] ), 0, 32) )
  $CHECK_LOGIN=1;
elseif ( $OLD_LOGIN && ( $existingUser["password"] == md5( $_POST["password"] ) ) ) {
  // update database with the sha1 password for future logins
  $this->Query("UPDATE ".$this->config["table_prefix"]."users SET password = SHA1( '".$_POST["password"]."' ) WHERE name = '".$_POST["name"]."'");
  $CHECK_LOGIN=1;
}

if ( $CHECK_LOGIN ) {
  $this->LogUserIn($existingUser);
  $this->SetUser($existingUser);
  $this->SetBookmarks(BM_USER);
  $this->context[++$this->current_context] = "";
  if ($_REQUEST["goback"] != "") $this->Redirect($this->Href("", stripslashes($_REQUEST["goback"]), "cache=".rand(0,1000)));
  $this->Redirect($this->href());
} else {
  $error = $this->GetResourceValue("WrongPassword");
  $name = $_POST["name"];
  $focus = 1;
}

If you like this hack, i can proceed to make all the necessaries changes for sha1 logins/registrations/installation etc. I hope my code is clean and straight forward for future maintenance.

Tann San

2009-03-04 13:55

manager   ~0000588

That looks rather good to me, makes it really simple to add a new database column later to support the full 40 char string.

administrator

2009-11-03 08:58

administrator   ~0000724

a) add a new login method (e.g. SHA1)
b) allow for existing installations to move to it. This means that the code will upgrade existing users from MD5 (or whatever it is) to SHA1 as the users login.

administrator

2010-02-18 16:13

administrator   ~0000741

Last edited: 2010-03-18 19:23

rev1083 - altered field size for 'password' to VARCHAR(40)
Use SHA1 for passwords as default - http://wackowiki.hg.sourceforge.net/hgweb/wackowiki/stable/rev/d68f6b3518ce

administrator

2010-03-31 09:59

administrator   ~0000756

http://wackowiki.hg.sourceforge.net/hgweb/wackowiki/stable/rev/2f7fb82350d9 [^]
pls. test the new salted password - guess 4 digits are enough but we can made the salt strength a config value

Issue History

Date Modified Username Field Change
2009-03-02 21:24 administrator New Issue
2009-03-03 08:29 ebal Note Added: 0000586
2009-03-04 12:36 ebal Status new => assigned
2009-03-04 12:36 ebal Assigned To => ebal
2009-03-04 13:02 ebal Note Added: 0000587
2009-11-02 19:04 administrator Target Version => 5.0.0
2009-11-03 08:58 administrator Note Added: 0000724
2010-02-18 16:13 administrator Note Added: 0000741
2010-03-08 10:22 administrator Category Security => security
2010-03-18 19:23 administrator Note Edited: 0000741
2010-03-18 20:01 administrator Relationship added related to 0000357
2010-03-31 09:59 administrator Note Added: 0000756
2010-04-05 17:29 administrator Assigned To ebal => administrator
2010-04-05 17:29 administrator Status assigned => resolved
2010-04-05 17:29 administrator Resolution open => fixed
2010-04-05 17:29 administrator Fixed in Version => 5.0.beta
2010-04-05 17:29 administrator Target Version 5.0.0 => 5.0.beta
2011-05-31 21:24 administrator Build => R5.0.beta