On Tue, 09 Mar 2010 22:42:33 +0100 Morten Wegelbye Nissen <m...@monit.dk> wrote:
MWN> In simple authenticator its possible to configure passwords to be MWN> stored as MD5 sums - for a security sucker there is two problems here. MWN> MD5 is broken[1]. (I wrote some of the auth code, including SimpleAuthenticator) MD5 is fast and better than no hashing at all. It's not *easy* to extract the original password from an unsalted MD5 hash, either. SimpleAuthenticator is not intended to be a comprehensive security solution. You should be using LDAP/AD/whatever works in your environment and write your own authenticator. That's why the IAuthenticator can be specified in the configuration. I plan to write a generic LDAP/AD IAuthenticator in the near future but haven't had the time. It wouldn't be terribly difficult if you're interested. MWN> There is no salt added to clear value, means if two users choose to MWN> have same password, the encoded values would be the same. I MWN> suggest that someone add support for a alternative hashing MWN> algorithm. And that the hash is calculated with some MWN> prefix. (username maybe) MWN> I know the present is better then having the passwords in MWN> cleartext. But, when a user choose to enable the password hashing, MWN> it's for a reason. And there is no reason to choose to jump into the MWN> common security pitfalls :) Perhaps it was a mistake to include MD5 hashing at all, but I still think it's better than storing plain passwords. If you have drop-in improvements, please submit a patch. On Tue, 9 Mar 2010 16:19:21 -0600 Jonathan Ellis <jbel...@gmail.com> wrote: JE> We should probably use http://www.mindrot.org/projects/jBCrypt/. JE> (Lots of background: JE> http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html) jBCrypt could be a drop-in, sure. The hashing mechanism shouldn't matter. JE> We kind of have a nagging feeling though that rolling our own auth JE> framework in 2010 is the wrong approach. JE> http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer JE> has been mentioned as an alternative. I look forward to discussion on this. Ted
