Re: [limesurvey-developers] LS 2 security hash - why are we using md5?
The leading Open Source survey tool
Brought to you by:
c_schmitz
From: James A. B. <jba...@mi...> - 2008-06-03 15:54:20
|
MD5 is a poor choice even for a placeholder. Sorry. But, it is good news that it is *only* a placeholder. I'll check the list archives, and wait for responses here, and if the consensus indeed seems to be SHA256 then I'll definitely be documenting that, and maybe working toward changing it. -jb Macasek, Michael A. wrote: > Jim, > > MD5 is a placeholder. I just threw it in there incase during testing > someone used a 'real' password so we did not store it as text. It is > still up for debate as to what we want to use. I believe the only > documentation of this is in email archives and I believe SHA256 was > suggested. > > Did you take this opportunity to document this problem on > docs.limesurvey.org? > > M > > > On 6/3/08 11:42 AM, "James Arthur Barkley" <jba...@mi...> wrote: > > All, > I noticed LS2 is using php's md5() function for hashing user > passwords for storage in our db. MD5 is old and has several > 'collision space' problems which make it easy to attack. > Therefore, if someone were to compromise a lime survey deployment > or reflect a users hash string via sequal injection, it would be > much easier for them to find the actual password (or a string that > would md5 to the same hash, anyway) than if we were using a more > secure hash, like sha1 or sha256. > > Is there a good reason we are not using sha1? php natively > supports it, cake supports it as well as sha256, and there are > several good third party implementations of sha256. > > Smarty is using md5 but only for cached data stores, which is fine. > > I'm still pretty new to the LS development crew, so maybe persons > have already weighed in on this issue, but I didn't see it > documented anywhere, and the LS2 code is using md5. > > -jb > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > limesurvey-developers mailing list > lim...@li... > https://lists.sourceforge.net/lists/listinfo/limesurvey-developers > -- ------------------------------------------------------------------------ ============================================ James A Barkley Senior Computer Systems Engineer (AC3) *MITRE Open Services (E542)* M Building 202 Burlington Rd. Bedford MA 01730 United States O: 781.271.7017 C: 303.579.2274 Email: jba...@mi... "If it is complex, make it simple. If it is simple, excel at it. If it is mundane, automate it." ============================================ |