[
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Udai Gupta updated MIFOS-4342:
------------------------------
Description:
Mifos stores passwords using the "salted(random) MD5 hash" storage, which is
easy to break from computational point of view.
The solution is to use a modern cryptography function specifically designed for
passwords, such as OpenBSD's Blowfish password hashing.
http://www.openbsd.org/papers/bcrypt-paper.ps
OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to
enable the hardness of the cryptography to keep up with increasing computing
power, making it considerably more difficult to crack a database of leaked
passwords.
For more information see:
Java OpenBSD's Blowfish password hashing library, BSD license
http://www.mindrot.org/projects/jBCrypt/
Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#
On the recent Gawker security breach, which involved the release of 1.3M
accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
was:
Mifos stores passwords using the SHA hash function. This is a known problem, as
hashed passwords can be quickly cracked using modern techniques. Salting SHA
hashes does not fix the problem.
The solution is to use a modern cryptography function specifically designed for
passwords, such as bcrypt. bcrypt has an adjustable "hardness" factor to enable
the hardness of the cryptography to keep up with increasing computing power,
making it considerably more difficult to crack a database of leaked passwords.
For more information see:
Java bCrypt library, BSD license
http://www.mindrot.org/projects/jBCrypt/
Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#
On the recent Gawker security breach, which involved the release of 1.3M
accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
Issue Type: Improvement (was: Bug)
Summary: Migrate to stroger password storage mechanism, resistant to
modern cracking techniques (was: Passwords authentication data is stored in
SHA hashed form. Store them in a form that is resistant to modern cracking
techniques.)
> Migrate to stroger password storage mechanism, resistant to modern cracking
> techniques
> --------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed
> for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to
> enable the hardness of the cryptography to keep up with increasing computing
> power, making it considerably more difficult to crack a database of leaked
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Mifos-issues mailing list
Mifos-issues@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-issues
