Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

Insecure password storage #44

Open
st161848 opened this issue Jun 28, 2021 · 1 comment
Open

Insecure password storage #44

st161848 opened this issue Jun 28, 2021 · 1 comment
Assignees
@ModellbahnFreak

Comments

@st161848
Copy link

st161848 commented Jun 28, 2021
edited
Loading

Password hashes are created with crypto.createHmac(passwordAlgorithm, passwordSecret).update(password), which is not a secure way of storing passwords.

Notably, two users who have the same password will share the same password hash:

ccims=# select (username, pw_hash) from users;
                             row
-------------------------------------------------------------
 (test1,sha256;6UBguf6xoaDCi0HsGx8JoP32WrJoXKmSwghTr23buH4=)
 (test2,sha256;6UBguf6xoaDCi0HsGx8JoP32WrJoXKmSwghTr23buH4=)
(2 rows)

Instead, passwords should be stored with a random salt and an intentionally expensive validation function such as PBKDF2. Using a password secret is probably not necessary.
@nk-coding
Copy link
Contributor

@ModellbahnFreak fyi
Currently, the authentication part of CCIMS is highly problematic, not only from a security standpoint, but also from a usability standpoint.
Therefore, we plan to switch to a dedicated authentication server in the near future, probably using the OpenID Connect protocol.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ModellbahnFreak ModellbahnFreak

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ModellbahnFreak @nk-coding @st161848