View Issue Details

IDProjectCategoryView StatusLast Update
0022839mantisbtauthenticationpublic2021-01-05 18:59
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityN/A
Status assignedResolutionopen 
Target Version2.26.0 
Summary0022839: Deprecate MD5 login method and replace with BCRYPT hash
Description

For many years, Mantis has been using MD5 as the default and "best" hashing algorithm to store users passwords in the database.

Since 2.x requires PHP 5.5.9, we can now use the password_hash() function, which relies on the modern and safe BCRYPT hashing algorithm for better security.

Additional Information

This basically makes several old issues in the tracker that aimed at replacing MD5 by SHA1/SHA256 obsolete, including 0010172, 0011250 and possibly others as well.

TagsNo tags attached.

Relationships

related to 0010172 closeddregad Passwords in SHA256 using a static salt 
related to 0011250 closeddregad Allow SHA1 passwords 
related to 0026085 new Support stronger authentication w/ schema changes 

Activities

dregad

dregad

2017-05-06 17:34

developer   ~0056785

PR https://github.com/mantisbt/mantisbt/pull/1048

hockeyfan

hockeyfan

2018-12-12 10:56

reporter   ~0061073

We appreciate your efforts on this project, and understand that you haven't been able to integrate this patch into the project yet. We would like to know if there is something that we can do to encourage you to find time to fix this serious issue. How do you feel about a significant bounty here: https://www.bountysource.com/issues/56540151-deprecate-md5-login-method-and-replace-with-bcrypt-hash ?

We are willing to contribute $500 USD for a released fix by the end of 1Q 2019. We would also encourage others to contribute as well. If some other mechanism works better for you, please let us know.

rogueresearch

rogueresearch

2019-03-18 16:20

reporter   ~0061695

I'd love to see this fixed too. Could contribute at least $100 USD also.

rogueresearch

rogueresearch

2019-06-17 19:00

reporter   ~0062264

Seems this bug got some press today:

https://it.slashdot.org/story/19/06/17/182208/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme

https://www.zdnet.com/article/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme/