12076
Reporter: lfrancke
Assignee: mdoering
Type: Bug
Summary: Make sure our passwords are securely saved
Priority: Critical
Resolution: Fixed
Status: Closed
Created: 2012-10-24 16:28:53.408
Updated: 2013-08-29 14:44:32.764
Resolved: 2013-08-20 11:33:26.776
Description: If I understand correctly we are using basic MD5 hashing at the moment which has been proven to be very insecure.
I'm of the opinion that we _need_ to change this to something more secure before we go live. Using the Drupal 7 default would be perfectly fine in terms of security. It is using SHA512 and (much more important) a salt.]]>
Author: mdoering@gbif.org
Created: 2012-10-24 16:39:26.46
Updated: 2012-10-24 16:39:26.46
If I remember correctly its based on a standard SHA512, but does a lot of changes to it afterwards, not only using a salt. For example you configure it to recursively rehash it various times and other things. Its encoded here:
http://code.google.com/p/gbif-portal/source/browse/portal-drupal7/trunk/includes/password.inc?spec=svn1102&r=801
Other people have tried the same withut luck it seems:
http://stackoverflow.com/questions/11736555/java-autentication-of-drupal-passwords
Even if we mimick that behavior we have to make sure our implementations use the same configurations which also seem to change between drupal versions, so there is no easy drop in replace for drupal code anyway. Plus drupal knows how to deal with different password encodings in case old user accounts exist - also sth that will break our neck with drupal upgrades without manual intervention
Author: lfrancke@gbif.org
Comment: Thanks for providing those links. Then we either need to find a different solution or just get it working anyway.
Created: 2012-10-24 16:41:44.825
Updated: 2012-10-24 16:41:44.825
Author: mdoering@gbif.org
Comment: We could easily use a standard SHA512 if that makes you feel safer
Created: 2012-10-24 16:42:58.113
Updated: 2012-10-24 16:42:58.113
Author: lfrancke@gbif.org
Comment: If we use a salt, then yes.
Created: 2012-10-24 16:52:23.991
Updated: 2012-10-24 16:52:23.991