Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1387 (accepted)

Opened 11 years ago

Last modified 6 years ago

Improve login security

Reported by: jamoore Owned by:
Priority: critical Milestone: Unscheduled
Component: Security Keywords: n.a.
Cc: cxallan, jrswedlow, jburel, bpindelski, mtbcarroll Story Points: n.a.
Sprint: n.a. Importance: n.a.
Total Remaining Time: 0.0d Estimated Remaining Time: n.a.

Description (last modified by jamoore)

Also:

Change History (13)

comment:1 Changed 11 years ago by jmoore

  • Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

This along with OmeroSessions rework is important, but doesn't fit into 4.1

comment:2 Changed 11 years ago by jmoore

  • Milestone changed from OMERO-Beta4.2 to Unscheduled

comment:3 Changed 11 years ago by jmoore

  • Description modified (diff)

comment:4 Changed 10 years ago by jmoore

  • Description modified (diff)

comment:5 Changed 10 years ago by jmoore

  • Owner jmoore deleted

comment:6 Changed 9 years ago by agilo

  • Status changed from new to accepted

Updated status, related task in progress

comment:7 Changed 8 years ago by jmoore

  • Description modified (diff)

comment:8 Changed 7 years ago by jamoore

  • Cc jburel bpindelski mtbcarroll added
  • Description modified (diff)

Discussing hash requirements with Chris. This may need to have effort on the 4.4.x line.

comment:9 Changed 7 years ago by jamoore

  • Description modified (diff)

comment:10 Changed 7 years ago by jamoore

https://github.com/openmicroscopy/openmicroscopy/pull/1800 opened. Until the database specification is modified to allow more data to be stored in the 'hash' column, something like http://code.google.com/p/jbcrypt/ is not possible. While we wait on that, this simple salting may be worth it.

comment:11 Changed 7 years ago by jmoore <josh@…>

(In [54ef5d5267396466a4ac9a5c4e8bf5ee73c517c1/ome.git] on branch develop) Simple salting of MD5 passwords (See #1387)

While waiting on a more complete hashing system,
adding a simple salt to the 'hash' column reduces
the benefit to any attacker who may gain access to
the postgresql data.

Passwords are updated as they are changed.

comment:12 Changed 7 years ago by Josh Moore <josh@…>

(In [978b5c7d049bd344647a8e7abf9699b85f74a5be/ome.git] on branch develop) Merge pull request #1800 from joshmoore/1387-simple-salt

Simple salting of MD5 passwords (See #1387)

comment:13 Changed 6 years ago by jmoore <josh@…>

(In [af3857065f174edf43cddfea3450add583deb096/ome.git] on branch dev_4_4) Simple salting of MD5 passwords (See #1387)

While waiting on a more complete hashing system,
adding a simple salt to the 'hash' column reduces
the benefit to any attacker who may gain access to
the postgresql data.

Passwords are updated as they are changed.

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.237362 sec.)

We're Hiring!