User Story #1387 (accepted)
Opened 15 years ago
Last modified 10 years ago
Improve login security
| Reported by: | jamoore | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | Unscheduled |
| Component: | Security | Keywords: | n.a. |
| Cc: | cxallan, jrswedlow, jburel, bpindelski, mtbcarroll | Story Points: | n.a. |
| Sprint: | n.a. | Importance: | n.a. |
| Total Remaining Time: | 0.0d | Estimated Remaining Time: | n.a. |
Description (last modified by jamoore)
Also:
- Review hash/salt functions
- Add method changeUserPasswordWithHash (for 5.0)
- Accept pre-hashed passwords
- Expand hash column to at least 100 characters (or bit vectors up to a min. of 512)
- Add "hashType" column.
- Turn on SSL w/ ADH as a "preferred" transport by default (#838)
- http://arstechnica.com/security/2013/09/long-passwords-are-good-but-too-much-length-can-be-bad-for-security/ (django/4096 limit)
Change History (13)
comment:1 Changed 15 years ago by jmoore
- Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2
comment:2 Changed 14 years ago by jmoore
- Milestone changed from OMERO-Beta4.2 to Unscheduled
comment:3 Changed 14 years ago by jmoore
- Description modified (diff)
comment:4 Changed 14 years ago by jmoore
- Description modified (diff)
comment:5 Changed 14 years ago by jmoore
- Owner jmoore deleted
comment:6 Changed 12 years ago by agilo
- Status changed from new to accepted
Updated status, related task in progress
comment:7 Changed 11 years ago by jmoore
- Description modified (diff)
comment:8 Changed 11 years ago by jamoore
- Cc jburel bpindelski mtbcarroll added
- Description modified (diff)
Discussing hash requirements with Chris. This may need to have effort on the 4.4.x line.
comment:9 Changed 11 years ago by jamoore
- Description modified (diff)
comment:10 Changed 10 years ago by jamoore
https://github.com/openmicroscopy/openmicroscopy/pull/1800 opened. Until the database specification is modified to allow more data to be stored in the 'hash' column, something like http://code.google.com/p/jbcrypt/ is not possible. While we wait on that, this simple salting may be worth it.
comment:11 Changed 10 years ago by jmoore <josh@…>
(In [54ef5d5267396466a4ac9a5c4e8bf5ee73c517c1/ome.git] on branch develop) Simple salting of MD5 passwords (See #1387)
While waiting on a more complete hashing system,
adding a simple salt to the 'hash' column reduces
the benefit to any attacker who may gain access to
the postgresql data.
Passwords are updated as they are changed.
comment:12 Changed 10 years ago by Josh Moore <josh@…>
(In [978b5c7d049bd344647a8e7abf9699b85f74a5be/ome.git] on branch develop) Merge pull request #1800 from joshmoore/1387-simple-salt
Simple salting of MD5 passwords (See #1387)
comment:13 Changed 10 years ago by jmoore <josh@…>
(In [af3857065f174edf43cddfea3450add583deb096/ome.git] on branch dev_4_4) Simple salting of MD5 passwords (See #1387)
While waiting on a more complete hashing system,
adding a simple salt to the 'hash' column reduces
the benefit to any attacker who may gain access to
the postgresql data.
Passwords are updated as they are changed.
This along with OmeroSessions rework is important, but doesn't fit into 4.1