Feature #7410
closedAdd salt to user passwords
0%
Description
User passwords are stored as SHA1(password)
which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.
The change consists of generating a salt for each user and storing SHA1(salt+SHA1(password))
in the database.
Related issues
Updated by Jean-Philippe Lang almost 14 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Feature committed in r4936.
Updated by Rick I over 13 years ago
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
Updated by Rick I over 13 years ago
Rick I wrote:
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F
Updated by Go MAEDA about 4 years ago
- Related to Defect #8514: Custom Password storing break pam_mysql added