-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/08/2012 11:40 AM, Frank Karlitschek wrote: > O.K. I will add an option in the config.php file to set a salt > which will be used to hash the passwords. This salt will be auto > generated during setup.
If you want a secure storage for the passwords you should use a hashing function which creates a new random salt for every user. Otherwise attacks with rainbow tables are still possible. A single salt for all users is better than no salt, but it's still bad. Also a better hashing algorithm than MD5 would be a good idea. MD5 is completely insecure for cryptographic reasons. Modern hashing algorithms like SHA2 with a length of 256+ should be used for modern software. The crypt function of linux gives simple access to high quality crypto algorithms like salted SHA256 or SHA512. They are stored in the form $algorithmtype$salt$hash and are widely accepted to be secure. (see https://en.wikipedia.org/wiki/Crypt_(Unix) ) > This means of course that your user accounts are lost if you only > delete the config file but not the database. But this is probably > the price of security. If you store the salt together with the database you don't lose anything as long as your database is valid. Copying of users between systems should be possible as well. Greetings, Hendrik -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP0cwsAAoJEHdhPr9WUBFmRdcP/3ci5YHjKOVu1FFXNpUNT9Qc MtueALDGl9D57ZajDeHD/EI9PzTgB1t8dqKWAM30qrd3CSYLYHE0um/KuI1oXFAh JnbFFf6igXoVXgMJFXGeNJvo7zbPQGqpTzp9iqG74rDvv32qvLnNT6t+S1FlZTHS EYnevOE9J+UJK2EZVyVNwSM1d6FxGTmyRWpL2NP4AGCNRzV7G/YaD9yytrq69epm pAqoAhiqpZnKeAJTfA0sc4ILntgFlVNouQpTtQNJlMm1OfMZfnbcrcnELcDrlnNC 2cCTIjTi2zw/io07KKRImqLRwL0MnA8mHYvAsRXrcTVAmSM+dJWTQCDSE7MdE9O8 8NVLMFxbdqGa7cJLma8u0VSQjmralW7crSoztWrsue9fKn5LDiFNs5atLMu8tvPj nGBrY+nuApY0ZokM1BtJ0U8D0wC5pL3Git8+7wbPKMbrSNhqXZhW+akqzb3mGjhF x6rnQVZZKDY+cIcb/SFyLfE7fFDl3TcN/GXNxK9D2xIgAIm4wD8FxxXAzpA8BwZH ek2yEgNLQytpcViu2x72Av6v9bWsXN/wlQyO7NhNB4RuNUg+ilBRXoFiOuyn1x5k ajcUURrjifv6LptFnanGcNH15uEfrKACqd8EpWEQJzJuwQOpMmJNPZ6cibL2jMsS 6J1IJCfCoHHIcWlF23Gt =Jax4 -----END PGP SIGNATURE----- _______________________________________________ Owncloud mailing list [email protected] https://mail.kde.org/mailman/listinfo/owncloud
