Re: [Jamwiki-devel] Passwords with salts [was: Question about code fragment]

[Peter P. <pit...@us...>]

Hi Ryan,

Am 19.03.2013 um 07:09 schrieb Ryan Holliday <rya...@gm...>:
> On 3/16/2013 4:46 PM, Peter Palmreuther wrote:
>> So it would be nice if someone could apply this patch to a local
>> export of the sources and test if every thing works well; for me it
>> does. Maybe someone can even test if an already existing installation
>> still works ... After the necessary small upgrade.
> 
> After updating the column size to 150 characters I ran your patch 
> locally without issue - it used my old password without issue 
> (unsalted), and after updating to a new password used the new password 
> with salt.  When you're ready to merge this I can do a larger test with 
> some of the test sites I have.

I've got another request:

I saw the "encrypt64" method in Encryption, and for keeping things with introducing the salt I simply used existing infrastructure.

After salting work I had some time and energy to inspect the other infrastructure elements.

I couldn't see the reason behind DES encrypting password hash ...

Does anybody know the rational behind applying a DES encryption to SHA-512 hash of the password with a not so secret key?

In the end this makes the encrypted password 96 bytes, while directly Base64 encoding the hash would only require 56 bytes.
This way the added salt (8) and hashing algorithm (7) and delimiters (3) would sum up to 74 bytes, which would fit into the current column size.
It would make up updating a little more complex, as I'd need to write a DES decrypting routine, but that's not a big deal at all.

It's just a matter of: is it OK?

I don't know about enough real world installations and number of users that need to get migrated their data.
The positive would be a less complex code with same security level, finally raised by enabling salting password once they're changed by their users.

What's your opinion?
-- 
Regards,

Peter