Feature #7410
Add salt to user passwords
| Status: | Closed | Start date: | 2011-01-22 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Accounts / authentication | |||
| Target version: | 1.2.0 | |||
| Resolution: | Fixed |
Description
User passwords are stored as SHA1(password) which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.
The change consists of generating a salt for each user and storing SHA1(salt+SHA1(password)) in the database.
Related issues
Associated revisions
Adds random salt to user passwords (#7410).
History
#1 Updated by Eric Thomas over 2 years ago
Duplicates #6394.
#2 Updated by Jean-Philippe Lang about 2 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Feature committed in r4936.
#3 Updated by Rick I about 2 years ago
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
#4 Updated by Rick I about 2 years ago
Rick I wrote:
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
Edit:
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F