Feature #7410

Add salt to user passwords

Added by Jean-Philippe Lang over 6 years ago. Updated over 6 years ago.

Status:ClosedStart date:2011-01-22
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Accounts / authentication
Target version:1.2.0
Resolution:Fixed

Description

User passwords are stored as SHA1(password) which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.

The change consists of generating a salt for each user and storing SHA1(salt+SHA1(password)) in the database.


Related issues

Related to Redmine - Feature #6394: Add Salt to Authentication Closed 2010-09-14

Associated revisions

Revision 4936
Added by Jean-Philippe Lang over 6 years ago

Adds random salt to user passwords (#7410).

History

#1 Updated by Eric Thomas over 6 years ago

Duplicates #6394.

#2 Updated by Jean-Philippe Lang over 6 years ago

  • Status changed from New to Closed
  • Resolution set to Fixed

Feature committed in r4936.

#3 Updated by Rick I over 6 years ago

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

#4 Updated by Rick I over 6 years ago

Rick I wrote:

So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...

Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F

Also available in: Atom PDF