In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Relationship Graph View Issue ] Dependency Graph ]
related to child of duplicate of

Viewing Issue Simple Details
ID Category Type Reproducibility Date Submitted Last Update
0001362 [In-Portal CMS] Security feature request N/A 2012-07-22 06:26 2012-10-18 10:37
Reporter alex View Status public  
Assigned To alex
Priority normal Resolution fixed  
Status resolved      
Summary 0001362: Use even more secure password hashing algorithm
Description I recommend doing 2 things:

* use adaptive hashing algorithm to hash user's password
* use random salt for each of hashed password (this will ensure different hash even if 2 users use same password for their accounts).


Here how I see it's implemented:

1. add following column to Users (PortalUser) database table after Password field:
- PasswordHashingMethod (1 - md5; 2 - md5+phppass; 3 - phppass)

2. during an upgrade we:
- apply "phppass" hashing over md5 password we have in db
- write down "md5+phppass" as currently used hashing logic

3. at user login (only password isn't hashed via "phppass") we:
- take plain-text password user submits in login form
- hash it using "phppass"
- update Password, PasswordHashingMethod columns of that user

4. at user login (every time) we:
- look at value in PasswordHashingMethod column to determine hashing algorithm
- generate hash using that algorithm and user provided plain-text password
- compare hash to one, that is selected based on Username/Email provided by user from login form

5. when checking password from SystemSettings table (e.g. on "root" user login) we:
- first checking using phppass hashing algorithm
- if that failed, then check using salted md5 algorithm
- if that succeeded, then convert stored password using phppass hashing algorithm and store it to database
Additional Information More reading about this subject:
* http://www.openwall.com/phpass/
* http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker