[Mifos-issues] [JIRA Studio] Commented: (MIFOS-4342) Migrate to stronger password storage mechanism, resistant to modern cracking techniques

Mifos Hudson Jira Plugin User (JIRA) Tue, 10 May 2011 07:54:51 -0700

    [ 
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67172#comment-67172
 ]


Mifos Hudson Jira Plugin User commented on MIFOS-4342:
------------------------------------------------------

Integrated in !http://ci.mifos.org/hudson/images/16x16/blue.png! 
[head-master-secondary 
#361|http://ci.mifos.org/hudson/job/head-master-secondary/361/]
     Revert "[MIFOS-4342] fix integration tests"
Revert "[MIFOS-4342] migrate to Bcrypt - accont expire functionality"
Revert "[MIFOS-4342] migrate to Bcrypt - change encrypt algorithm to Bcrypt"

Łukasz Domżalski : 
Files : 
* 
application/src/test/java/org/mifos/customers/client/struts/action/ClientTransferActionStrutsTest.java

Łukasz Domżalski : 
Files : 
* db/src/main/resources/sql/base-data.sql
* 
appdomain/src/main/java/org/mifos/application/servicefacade/LoginServiceFacadeWebTier.java
* 
application/src/main/java/org/mifos/security/authentication/MifosDaoAuthenticationProvider.java
* 
appdomain/src/main/java/org/mifos/customers/personnel/persistence/PersonnelDaoHibernate.java
* db/src/test/resources/sql/acceptance_test_dump.sql
* db/pom.xml
* 
organization/src/main/java/org/mifos/customers/personnel/business/PersonnelBO.java

Łukasz Domżalski : 
Files : 
* 
organization/src/main/java/org/mifos/security/authentication/EncryptionService.java
* 
appdomain/src/main/java/org/mifos/application/servicefacade/LoginServiceFacadeWebTier.java
* 
organization/src/main/java/org/mifos/security/authentication/PasswordHashing.java
* serviceInterfaces/src/main/java/org/mifos/security/MifosUser.java
* 
application/src/main/java/org/mifos/security/authentication/MifosDaoAuthenticationProvider.java
* 
appdomain/src/main/resources/org/mifos/customers/personnel/business/PersonnelBO.hbm.xml
* organization/pom.xml
* appdomain/src/main/java/org/mifos/builders/MifosUserBuilder.java
* 
appdomain/src/main/java/org/mifos/customers/personnel/persistence/PersonnelDaoHibernate.java
* 
organization/src/main/java/org/mifos/customers/personnel/business/PersonnelBO.java
* 
application/src/main/java/org/mifos/framework/components/batchjobs/helpers/SavingsIntPostingHelper.java
* db/src/main/resources/changesets/changelog-Release_G.xml


> Migrate to stronger password storage mechanism, resistant to modern cracking 
> techniques
> ---------------------------------------------------------------------------------------
>
>                 Key: MIFOS-4342
>                 URL: http://mifosforge.jira.com/browse/MIFOS-4342
>             Project: mifos
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Release E - Iteration 11
>            Reporter: Adam Feuer
>            Assignee: Łukasz Domżalski
>            Priority: Major
>              Labels: authentication, security
>             Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is 
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed 
> for passwords, such as OpenBSD's Blowfish password hashing. 
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to 
> enable the hardness of the cryptography to keep up with increasing computing 
> power, making it considerably more difficult to crack a database of leaked 
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M 
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues

[Mifos-issues] [JIRA Studio] Commented: (MIFOS-4342) Migrate to stronger password storage mechanism, resistant to modern cracking techniques

Reply via email to