Hi Andreas, thanks for the hint. Waiting for your patch ;-)
The challenge is that we can´t implement it as usual and put a salt into the code. This would be useless because the code is open source. So the salt has to be different for every installation. We could generate a random salt during installation and store it in the config file. The admin has to understand that the user database can´t be migrated to a different host without the config.php entry. This is not a protection if the server is completely cracked as the one from linkedin was because the salt is stored in cleartext on server. Obviously this only help if someone used the internal ownCloud usermanagement and has no effect if LDAP or any other user backend is used. Suggestions? Frank On 08.06.2012, at 10:15, Andreas Schneider <[email protected]> wrote: > You know there is this rocket sience technology from the 70ies. It is called > salt in cryptography. I suggested several times to use salting in owncloud > but > we still don't have it. > > First linkedin: > http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user- > passwords-were-compromised-1612554.html > > then last.fm: > http://www.lastfm.de/passwordsecurity > > > next: your owncloud installation ... > > > > -- andreas > > > > > -- > Andreas Schneider GPG-ID: F33E3FC6 > www.cryptomilk.org [email protected] > > _______________________________________________ > Owncloud mailing list > [email protected] > https://mail.kde.org/mailman/listinfo/owncloud _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
