Menu
▾
▴
Re: [mantisbt-dev] Secure storage of password hashes
|
From: Victor B. <vi...@fu...> - 2011-07-26 14:02:39
|
Here are some requirements to take into consideration: 1. We should support more secure hashing technologies - like the ones identified earlier. 2. The schema should support a model where a MantisBT instance is transitioning from technology A to B, or a mix of N technologies. For example, in our official tracker, we may decide to move from MD5 to SHA-256, this will happen gradually as users login (hence, there may be a need for auth type by user), some users may never login and hence the DB will stay in a state where it has a mix of MD5 and SHA-256. Another schema is where developers and internal staff of a company logins in using LDAP and the customers use the standard forms based authentication. 3. We should consider delegating a lot of the heavy lifting for support different authentication techniques to a framework like Zend, and allow using such plugins via configuration, or install a MantisBT plugin, that installs its custom authentication. The question here is whether we should encourage users in this case to implement a zend plugin instead of a MantisBT plugin (TBD during design)/ On Tue, Jul 26, 2011 at 10:33 PM, John Reese <jo...@no...> wrote: > On 07/26/2011 06:36 AM, David Hicks wrote: > > On Tue, 2011-07-26 at 11:18 +0200, Damien Regad wrote: > >> PHP recommendation [3] is to use crypt() with blowfish algorithm. > > > > We use the whirlpool hash function in other parts of MantisBT and I > > imagine it'd be worthwhile to use it here as well. See crypto_api in > > 1.3.x for some pointers on how to create whirlpool hashes (it's easy). > > We can salt passwords and then use key stretching > > (http://en.wikipedia.org/wiki/Key_stretching) to improve security a > > little bit more. > > No. Just use bcrypt as suggested by Damien. It handles salting for > you, and also makes it trivial to increase the "work factor" for future > hashes as the speed of brute forcing increases. I've been wanting to do > this for a long time, and just haven't gotten around to it; it would be > an excellent plan to have bcrpyt implemented as the default > authentication system for 1.3. > > 1: http://codahale.com/how-to-safely-store-a-password/# > 2: http://news.ycombinator.com/item?id=2004962 > 3: > > http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php > > -- > John Reese > noswap.com > > > ------------------------------------------------------------------------------ > Magic Quadrant for Content-Aware Data Loss Prevention > Research study explores the data loss prevention market. Includes in-depth > analysis on the changes within the DLP market, and the criteria used to > evaluate the strengths and weaknesses of these DLP solutions. > http://www.accelacomm.com/jaw/sfnl/114/51385063/ > _______________________________________________ > mantisbt-dev mailing list > man...@li... > https://lists.sourceforge.net/lists/listinfo/mantisbt-dev > |