プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #69054

完了

Add salt to user passwords

Admin Redmine さんが3年以上前に追加. 3年以上前に更新.

ステータス:
Closed
優先度:
通常
担当者:
-
カテゴリ:
Accounts / authentication_7
対象バージョン:
1.2.0_27
開始日:
2011/01/22
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/7410
category_id:
7
version_id:
27
issue_org_id:
7410
author_id:
1
assigned_to_id:
0
comments:
5
status_id:
5
tracker_id:
2
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Closed]
引用

説明

User passwords are stored as @SHA1(password)@ which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.

The change consists of generating a salt for each user and storing @SHA1(salt+SHA1(password))@ in the database.

journals

Duplicates #6394.
--------------------------------------------------------------------------------
Feature committed in r4936.
--------------------------------------------------------------------------------
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
--------------------------------------------------------------------------------
Rick I wrote:
> So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

relates,Closed,6394,Add Salt to Authentication
relates,Closed,8514,Custom Password storing break pam_mysql

操作
リンクをコピー
 #1

Admin Redmine さんが3年以上前に更新

  • カテゴリAccounts / authentication_7 にセット
  • 対象バージョン1.2.0_27 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org