View Issue Details

IDProjectCategoryView StatusLast Update
0013273mantisbtsecuritypublic2011-09-25 09:40
ReporterCarstenGrohmann Assigned Toatrol  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionduplicate 
Product Versiongit trunk 
Summary0013273: Store salted passwd only
Description

Store all password salted per default. Storing un-salted passwords isn't state of the art. Please use random salts and convert un-salted passwords automatically to salted passwords after successful login.

At least the MD5 hashed passwords are affected.

See core/authentication_api.php:auth_process_plain_password()

TagsNo tags attached.

Relationships

duplicate of 0010172 closeddregad Passwords in SHA256 using a static salt 

Activities

CarstenGrohmann

CarstenGrohmann

2011-08-29 07:11

reporter   ~0029584

Please add support for random salts and change the default configuration to use random salts automatically as well as to convert pw hashes without salts to salted password hashes after user login.

Static salts are tricky because:

  • you could generate rainbow tables for those salt too
  • different users using same password got the same password hash
  • ...

Further information about salted passwords and why salted passwords are such important:

atrol

atrol

2011-08-29 07:37

developer   ~0029585

If you want to provide additional information you can add notes to the duplicate issue.

Or is there any other reason to reopen the issue?
I thought that the duplicate 0010172 and the notes from developers cover random salts, rainbow tables, ....

CarstenGrohmann

CarstenGrohmann

2011-08-29 07:42

reporter   ~0029586

I'm sorry, please close this bug a second time