On 21/06/2012 09:23, Bob Lannoy wrote:
Hi guys,
you probably read the news of LinkedIn passwords being hacked.
This got me somewhat worried since even SHA hashed passwords are that safe
anymore the way they are stored now in Syncope.
So I took a little stroll on the internet. Maybe this can serve as some
reference documentation for the implementation.
In the roadmap you have "Remove MD5 as a supported password cipher
algorithm (SYNCOPE-51 <https://issues.apache.org/jira/browse/SYNCOPE-51>)"
but I think this should be extended.
It would be best to add other password mechanisms that include salting and
stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt)
which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and
include new ones which are a lot safer.
Apparently PBKDF2 is considered a secure mechanism.
Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/
Nice insight: I'll add this to the roadmap.
Another remark, I find it strange that when reading a user object I can get
the password. Wouldn't it make more sense to let this inside core?
Don't worry: the password you will get is encrypted with the selected
algorithm.
Regards.
--
Francesco Chicchiriccò
ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/
