View Issue Details

IDProjectCategoryView StatusLast Update
0022839mantisbtauthenticationpublic2019-06-17 19:00
Reporterdregad Assigned Todregad  
PriorityhighSeveritymajorReproducibilityN/A
Status assignedResolutionopen 
Product Version 
Target Version2.22.0Fixed in Version 
Summary0022839: Deprecate MD5 login method and replace with BCRYPT hash
Description

For many years, Mantis has been using MD5 as the default and "best" hashing algorithm to store users passwords in the database.

Since 2.x requires PHP 5.5.9, we can now use the password_hash() function, which relies on the modern and safe BCRYPT hashing algorithm for better security.

Additional Information

This basically makes several old issues in the tracker that aimed at replacing MD5 by SHA1/SHA256 obsolete, including 0010172, 0011250 and possibly others as well.

TagsNo tags attached.

Relationships

related to 0010172 closeddregad Passwords in SHA256 using a static salt 
related to 0011250 closeddregad Allow SHA1 passwords 

Activities

dregad

dregad

2017-05-06 17:34

developer   ~0056785

PR https://github.com/mantisbt/mantisbt/pull/1048

hockeyfan

hockeyfan

2018-12-12 10:56

reporter   ~0061073

We appreciate your efforts on this project, and understand that you haven't been able to integrate this patch into the project yet. We would like to know if there is something that we can do to encourage you to find time to fix this serious issue. How do you feel about a significant bounty here: https://www.bountysource.com/issues/56540151-deprecate-md5-login-method-and-replace-with-bcrypt-hash ?

We are willing to contribute $500 USD for a released fix by the end of 1Q 2019. We would also encourage others to contribute as well. If some other mechanism works better for you, please let us know.

rogueresearch

rogueresearch

2019-03-18 16:20

reporter   ~0061695

I'd love to see this fixed too. Could contribute at least $100 USD also.

rogueresearch

rogueresearch

2019-06-17 19:00

reporter   ~0062264

Seems this bug got some press today:

https://it.slashdot.org/story/19/06/17/182208/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme

https://www.zdnet.com/article/a-quarter-of-major-cmss-use-outdated-md5-as-the-default-password-hashing-scheme/

Issue History

Date Modified Username Field Change
2017-05-06 17:25 dregad New Issue
2017-05-06 17:26 dregad Relationship added related to 0010172
2017-05-06 17:26 dregad Relationship added related to 0011250
2017-05-06 17:34 dregad Assigned To => dregad
2017-05-06 17:34 dregad Status new => assigned
2017-05-06 17:34 dregad Target Version => 2.5.0
2017-05-06 17:34 dregad Note Added: 0056785
2017-05-06 17:35 dregad Description Updated View Revisions
2017-06-04 16:19 atrol Target Version 2.5.0 => 2.6.0
2017-09-03 18:49 vboctor Target Version 2.6.0 => 2.7.0
2017-10-08 23:55 vboctor Target Version 2.7.0 => 2.8.0
2017-10-28 19:14 vboctor Target Version 2.8.0 => 2.9.0
2017-12-04 02:25 vboctor Target Version 2.9.0 => 2.10.0
2017-12-30 18:39 vboctor Target Version 2.10.0 => 2.11.0
2018-02-06 21:22 vboctor Target Version 2.11.0 => 2.12.0
2018-03-04 00:41 vboctor Target Version 2.12.0 => 2.13.0
2018-03-31 20:06 vboctor Target Version 2.13.0 => 2.14.0
2018-04-10 16:59 Angela3456 Issue cloned: 0024260
2018-04-29 19:27 vboctor Target Version 2.14.0 => 2.15.0
2018-06-06 00:43 vboctor Target Version 2.15.0 => 2.16.0
2018-07-30 05:32 atrol Target Version 2.16.0 => 2.17.0
2018-09-04 01:27 vboctor Target Version 2.17.0 => 2.18.0
2018-10-16 23:45 vboctor Target Version 2.18.0 => 2.19.0
2018-12-12 10:56 hockeyfan Note Added: 0061073
2019-01-02 17:32 vboctor Target Version 2.19.0 => 2.20.0
2019-03-16 20:33 vboctor Target Version 2.20.0 => 2.21.0
2019-03-18 16:20 rogueresearch Note Added: 0061695
2019-04-21 05:25 atrol Target Version 2.21.0 => 2.22.0
2019-06-17 19:00 rogueresearch Note Added: 0062264