Project

General

Profile

Actions
Copy link

Feature #7410

closed

Add salt to user passwords

Added by Jean-Philippe Lang over 13 years ago. Updated about 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Accounts / authentication
Target version:
1.2.0
Start date:
2011-01-22
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

User passwords are stored as SHA1(password) which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.

The change consists of generating a salt for each user and storing SHA1(salt+SHA1(password)) in the database.

Related issues

Related to Redmine - Feature #6394: Add Salt to AuthenticationClosed2010-09-14

Actions
Related to Redmine - Defect #8514: Custom Password storing break pam_mysqlClosed2011-06-03

Actions
Actions
Copy link
 #1

Updated by Eric Thomas over 13 years ago

Duplicates #6394.

Actions
Copy link
 #2

Updated by Jean-Philippe Lang about 13 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Feature committed in r4936.

Actions
Copy link
 #3

Updated by Rick I about 13 years ago

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Actions
Copy link
 #4

Updated by Rick I about 13 years ago

Rick I wrote:

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F

Actions
Copy link
 #5

Updated by Go MAEDA over 3 years ago

  • Related to Defect #8514: Custom Password storing break pam_mysql added
Actions
Copy link

Also available in: Atom PDF