Project

General

Profile

Actions

Feature #7410

closed

Add salt to user passwords

Added by Jean-Philippe Lang almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
Start date:
2011-01-22
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

User passwords are stored as SHA1(password) which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.

The change consists of generating a salt for each user and storing SHA1(salt+SHA1(password)) in the database.


Related issues

Related to Redmine - Feature #6394: Add Salt to AuthenticationClosed2010-09-14

Actions
Related to Redmine - Defect #8514: Custom Password storing break pam_mysqlClosed2011-06-03

Actions
Actions #1

Updated by Eric Thomas almost 14 years ago

Duplicates #6394.

Actions #2

Updated by Jean-Philippe Lang almost 14 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Feature committed in r4936.

Actions #3

Updated by Rick I over 13 years ago

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Actions #4

Updated by Rick I over 13 years ago

Rick I wrote:

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F

Actions #5

Updated by Go MAEDA about 4 years ago

  • Related to Defect #8514: Custom Password storing break pam_mysql added
Actions

Also available in: Atom PDF