[Mifos-issues] [JIRA Studio] Created: (MIFOS-4342) Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.

Thu, 16 Dec 2010 12:06:34 -0800 

Passwords authentication data is stored in SHA hashed form. Store them in a 
form that is resistant to modern cracking techniques.
---------------------------------------------------------------------------------------------------------------------------------

                 Key: MIFOS-4342
                 URL: http://mifosforge.jira.com/browse/MIFOS-4342
             Project: mifos
          Issue Type: Bug
          Components: Authentication
    Affects Versions: Release E - Iteration 11
            Reporter: Adam Feuer
            Priority: Major


Mifos stores passwords using the SHA hash function. This is a known problem, as 
hashed passwords can be quickly cracked using modern techniques. Salting SHA 
hashes does not fix the problem.

The solution is to use a modern cryptography function specifically designed for 
passwords, such as bcrypt. bcrypt has an adjustable "hardness" factor to enable 
the hardness of the cryptography to keep up with increasing computing power, 
making it considerably more difficult to crack a database of leaked passwords.

For more information see:

Java bCrypt library, BSD license
http://www.mindrot.org/projects/jBCrypt/

Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#

On the recent Gawker security breach, which involved the release of 1.3M 
accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Mifos-issues mailing list
Mifos-issues@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to