[Mifos-issues] [JIRA Studio] Updated: (MIFOS-4342) Migrate to stronger password storage mechanism, resistant to modern cracking techniques

Tue, 25 Jan 2011 16:21:34 -0800 

     [ 
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kay Chau updated MIFOS-4342:
----------------------------

    Summary: Migrate to stronger password storage mechanism, resistant to 
modern cracking techniques  (was: Migrate to stroger password storage 
mechanism, resistant to modern cracking techniques)

> Migrate to stronger password storage mechanism, resistant to modern cracking 
> techniques
> ---------------------------------------------------------------------------------------
>
>                 Key: MIFOS-4342
>                 URL: http://mifosforge.jira.com/browse/MIFOS-4342
>             Project: mifos
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Release E - Iteration 11
>            Reporter: Adam Feuer
>            Assignee: mifosdeveloperqueue
>            Priority: Major
>             Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is 
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed 
> for passwords, such as OpenBSD's Blowfish password hashing. 
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to 
> enable the hardness of the cryptography to keep up with increasing computing 
> power, making it considerably more difficult to crack a database of leaked 
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M 
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Mifos-issues mailing list
Mifos-issues@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to