Issue 12076

Make sure our passwords are securely saved

12076
Reporter: lfrancke
Assignee: mdoering
Type: Bug
Summary: Make sure our passwords are securely saved
Priority: Critical
Resolution: Fixed
Status: Closed
Created: 2012-10-24 16:28:53.408
Updated: 2013-08-29 14:44:32.764
Resolved: 2013-08-20 11:33:26.776
        
Description: If I understand correctly we are using basic MD5 hashing at the moment which has been proven to be very insecure.

I'm of the opinion that we _need_ to change this to something more secure before we go live. Using the Drupal 7 default would be perfectly fine in terms of security. It is using SHA512 and (much more important) a salt.]]>
    


Author: mdoering@gbif.org
Created: 2012-10-24 16:39:26.46
Updated: 2012-10-24 16:39:26.46
        
If I remember correctly its based on a standard SHA512, but does a lot of changes to it afterwards, not only using a salt. For example you configure it to recursively rehash it various times and other things. Its encoded here:
http://code.google.com/p/gbif-portal/source/browse/portal-drupal7/trunk/includes/password.inc?spec=svn1102&r=801

Other people have tried the same withut luck it seems:
http://stackoverflow.com/questions/11736555/java-autentication-of-drupal-passwords

Even if we mimick that behavior we have to make sure our implementations use the same configurations which also seem to change between drupal versions, so there is no easy drop in replace for drupal code anyway. Plus drupal knows how to deal with different password encodings in case old user accounts exist - also sth that will break our neck with drupal upgrades without manual intervention
    


Author: lfrancke@gbif.org
Comment: Thanks for providing those links. Then we either need to find a different solution or just get it working anyway.
Created: 2012-10-24 16:41:44.825
Updated: 2012-10-24 16:41:44.825


Author: mdoering@gbif.org
Comment: We could easily use a standard SHA512 if that makes you feel safer
Created: 2012-10-24 16:42:58.113
Updated: 2012-10-24 16:42:58.113


Author: lfrancke@gbif.org
Comment: If we use a salt, then yes.
Created: 2012-10-24 16:52:23.991
Updated: 2012-10-24 16:52:23.991


Author: lfrancke@gbif.org
Comment: Another article: http://dropsafe.crypticide.com/article/9439
Created: 2012-11-21 09:33:07.069
Updated: 2012-11-21 09:33:07.069


Author: mdoering@gbif.org
Created: 2012-11-26 19:50:29.905
Updated: 2012-11-26 19:50:29.905
        
A potential java implementation of the drupal hashing: http://stackoverflow.com/questions/11736555/java-autentication-of-drupal-passwords

    


Author: mdoering@gbif.org
Comment: we use the native drupal hashing now
Created: 2013-08-20 11:33:26.808
Updated: 2013-08-20 11:33:26.808