In-Portal Issue Tracker

Welcome to the In-Portal Open Source CMS Issue Tracker! This is a central management / tracking tool for all types of tasks / issues / bugs for the In-Portal Project. Before reporting any issues, please make sure to read the Guide into Issue Tracker and How to Properly Test and Report Bugs!

Viewing Issue Simple Details Jump to Notes ] Wiki ]  Related Changesets ] View Advanced ] Issue History ] Print ]
ID Category Type Reproducibility Date Submitted Last Update
0001362 [In-Portal CMS] Security feature request N/A 2012-07-22 06:26 2012-10-18 10:37
Reporter alex View Status public Project Name In-Portal CMS
Assigned To alex Developer
Priority normal Resolution fixed Fixed in Version 5.2.1-B1
Status resolved Product Version 5.0.0 Target Version 5.2.1
Time EstimateNo estimate
Summary 0001362: Use even more secure password hashing algorithm
Description I recommend doing 2 things:

* use adaptive hashing algorithm to hash user's password
* use random salt for each of hashed password (this will ensure different hash even if 2 users use same password for their accounts).


Here how I see it's implemented:

1. add following column to Users (PortalUser) database table after Password field:
- PasswordHashingMethod (1 - md5; 2 - md5+phppass; 3 - phppass)

2. during an upgrade we:
- apply "phppass" hashing over md5 password we have in db
- write down "md5+phppass" as currently used hashing logic

3. at user login (only password isn't hashed via "phppass") we:
- take plain-text password user submits in login form
- hash it using "phppass"
- update Password, PasswordHashingMethod columns of that user

4. at user login (every time) we:
- look at value in PasswordHashingMethod column to determine hashing algorithm
- generate hash using that algorithm and user provided plain-text password
- compare hash to one, that is selected based on Username/Email provided by user from login form

5. when checking password from SystemSettings table (e.g. on "root" user login) we:
- first checking using phppass hashing algorithm
- if that failed, then check using salted md5 algorithm
- if that succeeded, then convert stored password using phppass hashing algorithm and store it to database
Additional Information More reading about this subject:
* http://www.openwall.com/phpass/
* http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html
Tags No tags attached.
Reference https://groups.google.com/d/topic/in-portal-dev/5Hm6xr5K188/discussion
Change Log Message Improving password hashing algorithm
Estimate Points 2
Attached Files patch file icon improved_password_hashing_core.patch [^] (42,404 bytes) 2012-10-18 10:33 [Show Content]
patch file icon improved_password_hashing_modules.patch [^] (1,456 bytes) 2012-10-18 10:33 [Show Content]

- Relationships Relation Graph ] Dependency Graph ]
related to 0001414resolved (5.2.1)alex Centralize code for resource limit setting 

-  Notes
User avatar (0005234)
alex (manager)
2012-10-18 10:34

Will test all together later.
User avatar (0005235)
alex (manager)
2012-10-18 10:37

Fix committed to 5.2.x branch. Commit Message:

Fixes 0001362: Use even more secure password hashing algorithm

- Related Changesets
In-Portal CMS: 5.2.x r15590
Timestamp: 2012-10-18 10:37:18
Author: alex
Details ] Diff ]
Fixes 0001362: Use even more secure password hashing algorithm
mod - /in-portal/branches/5.2.x/core/admin_templates/users/root_edit_password.tpl Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/install_schema.sql Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/upgrades.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install/upgrades.sql Diff ] File ]
mod - /in-portal/branches/5.2.x/core/install.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/kernel/application.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/kernel/constants.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/kernel/utility/formatters/password_formatter.php Diff ] File ]
add - /in-portal/branches/5.2.x/core/kernel/utility/php_pass.php File ]
mod - /in-portal/branches/5.2.x/core/units/admin/admin_tag_processor.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/configuration/configuration_event_handler.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/forms/form_submissions/form_submissions_eh.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/helpers/user_helper.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/users/users_config.php Diff ] File ]
mod - /in-portal/branches/5.2.x/core/units/users/users_event_handler.php Diff ] File ]
Modules :: In-Commerce: 5.2.x r15589
Timestamp: 2012-10-18 10:34:56
Author: alex
Details ] Diff ]
Bug 0001362: Use even more secure password hashing algorithm
mod - /w/in-commerce/branches/5.2.x/units/orders/orders_config.php Diff ] File ]
mod - /w/in-commerce/branches/5.2.x/units/orders/orders_event_handler.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-10-18 10:37 alex Note Added: 0005235
2012-10-18 10:37 alex Status reviewed and tested => resolved
2012-10-18 10:37 alex Fixed in Version => 5.2.1-B1
2012-10-18 10:37 alex Resolution open => fixed
2012-10-18 10:37 alex Assigned To !COMMUNITY => alex
2012-10-18 10:37 alex Changeset attached 5.2.x r15590
2012-10-18 10:34 alex Changeset attached 5.2.x r15589
2012-10-18 10:34 alex Note Added: 0005234
2012-10-18 10:34 alex Status needs testing => reviewed and tested
2012-10-18 10:34 alex Assigned To => !COMMUNITY
2012-10-18 10:34 alex Developer => alex
2012-10-18 10:34 alex Status active => needs testing
2012-10-18 10:33 alex File Added: improved_password_hashing_modules.patch
2012-10-18 10:33 alex File Added: improved_password_hashing_core.patch
2012-10-18 10:29 alex Relationship added related to 0001414
2012-10-18 10:22 alex Description Updated View Revisions
2012-10-18 05:57 alex Description Updated View Revisions
2012-07-25 05:39 alex Target Version 5.2.0 => 5.2.1
2012-07-22 06:30 alex Reference => https://groups.google.com/d/topic/in-portal-dev/5Hm6xr5K188/discussion
2012-07-22 06:30 alex Change Log Message => Improving password hashing algorithm
2012-07-22 06:30 alex Estimate Points 1 => 2
2012-07-22 06:30 alex Additional Information Updated View Revisions
2012-07-22 06:26 alex New Issue
2012-07-22 06:26 alex Estimate Points => 1



Web Development by Intechnic
In-Portal Open Source CMS
In-Portal Open Source CMS
Copyright © 2000 - 2009 MantisBT Group

Powered by Mantis Bugtracker