View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010172 | mantisbt | authentication | public | 2009-02-28 19:07 | 2018-04-10 17:05 |
Reporter | thosjo | Assigned To | dregad | ||
Priority | normal | Severity | feature | Reproducibility | N/A |
Status | closed | Resolution | won't fix | ||
Product Version | 1.2.0a3 | ||||
Summary | 0010172: Passwords in SHA256 using a static salt | ||||
Description | To increase the security of the stored password hashes I've implemented support for SHA256 with a static salt. The transition is handled by changing $g_login_method from MD5 to SHA256. | ||||
Tags | patch, schema | ||||
Attached Files | mantisbt-1.2.0a3-sha256.diff (3,630 bytes)
diff -uNr -x .svn mantisbt-1.2.0a3/admin/schema.php mantisbt-lab/admin/schema.php --- mantisbt-1.2.0a3/admin/schema.php 2009-01-15 17:04:51.000000000 +0100 +++ mantisbt-lab/admin/schema.php 2009-02-28 23:55:02.000000000 +0100 @@ -301,7 +301,7 @@ username C(32) NOTNULL DEFAULT \" '' \", realname C(64) NOTNULL DEFAULT \" '' \", email C(64) NOTNULL DEFAULT \" '' \", - password C(32) NOTNULL DEFAULT \" '' \", + password C(128) NOTNULL DEFAULT \" '' \", date_created T NOTNULL DEFAULT '" . db_null_date() . "', last_visit T NOTNULL DEFAULT '" . db_null_date() . "', enabled L NOTNULL DEFAULT \" '1' \", diff -uNr -x .svn mantisbt-1.2.0a3/config_defaults_inc.php mantisbt-lab/config_defaults_inc.php --- mantisbt-1.2.0a3/config_defaults_inc.php 2009-01-15 17:04:59.000000000 +0100 +++ mantisbt-lab/config_defaults_inc.php 2009-02-28 23:56:44.000000000 +0100 @@ -2149,13 +2149,21 @@ /** * login method - * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH + * CRYPT or PLAIN or MD5 or LDAP or BASIC_AUTH or SHA256 * You can simply change this at will. MantisBT will try to figure out how the passwords were encrypted. * @global int $g_login_method */ $g_login_method = MD5; /** + * password salt + * Static salt for user passwords + * Make this as long and complicated as you can + * NEW PASSWORDS HAS TO BE GENERATED WHEN THIS IS MODIFIED + */ + $g_password_static_salt = 'blowfish'; + + /** * limit reporters * Set to ON if you wish to limit reporters to only viewing bugs that they report. * @global int $g_limit_reporters diff -uNr -x .svn mantisbt-1.2.0a3/core/authentication_api.php mantisbt-lab/core/authentication_api.php --- mantisbt-1.2.0a3/core/authentication_api.php 2009-01-15 17:04:59.000000000 +0100 +++ mantisbt-lab/core/authentication_api.php 2009-02-28 23:55:03.000000000 +0100 @@ -340,6 +340,7 @@ $t_password = user_get_field( $p_user_id, 'password' ); $t_login_methods = Array( MD5, + SHA256, CRYPT, PLAIN, ); @@ -399,6 +400,11 @@ case MD5: $t_processed_password = md5( $p_password ); break; + case SHA256: + $p_salt = config_get( 'password_static_salt' ); + $t_processed_password = sha256( $p_salt . $p_password ); + break; + case BASIC_AUTH: case PLAIN: default: @@ -406,7 +412,7 @@ break; } - # cut this off to PASSLEN cahracters which the largest possible string in the database + # cut this off to PASSLEN characters which the largest possible string in the database return substr( $t_processed_password, 0, PASSLEN ); } diff -uNr -x .svn mantisbt-1.2.0a3/core/constant_inc.php mantisbt-lab/core/constant_inc.php --- mantisbt-1.2.0a3/core/constant_inc.php 2009-01-15 17:53:27.000000000 +0100 +++ mantisbt-lab/core/constant_inc.php 2009-02-28 23:55:03.000000000 +0100 @@ -115,6 +115,7 @@ define( 'LDAP', 4 ); define( 'BASIC_AUTH', 5 ); define( 'HTTP_AUTH', 6 ); +define( 'SHA256', 7 ); # file upload methods define( 'DISK', 1 ); @@ -476,4 +477,4 @@ # Lengths - NOTE: these may represent hard-coded values in db schema and should not be changed. define( 'USERLEN', 32); define( 'REALLEN', 64); -define( 'PASSLEN', 32); +define( 'PASSLEN', 128); diff -uNr -x .svn mantisbt-1.2.0a3/core/custom_function_api.php mantisbt-lab/core/custom_function_api.php --- mantisbt-1.2.0a3/core/custom_function_api.php 2009-01-15 17:04:52.000000000 +0100 +++ mantisbt-lab/core/custom_function_api.php 2009-02-28 23:55:03.000000000 +0100 @@ -196,6 +196,7 @@ CRYPT, CRYPT_FULL_SALT, MD5, + SHA256, ); if( in_array( config_get( 'login_method' ), $t_can_change ) ) { return true; | ||||
related to | 0011250 | closed | dregad | Allow SHA1 passwords |
has duplicate | 0009171 | closed | vboctor | Implement secure/salted hashing algorithm for passwords |
has duplicate | 0013273 | closed | atrol | Store salted passwd only |
has duplicate | 0021859 | closed | atrol | Passwords using MD5 |
related to | 0022839 | assigned | dregad | Deprecate MD5 login method and replace with BCRYPT hash |
Two major troubles with your patch:
|
|
I agree, the schema was modified to work with my lab but shouldnt be used when upgrading of course. A static salt isn't as useful as a randomly generated salt but it's better than the current md5(). 0009171 Has PHPass (http://cvsweb.openwall.com/cgi/cvsweb.cgi/projects/phpass/) been look at as an alternative? |
|
Agreed with the concept. There are two possible approaches:
Ideally we should have number 2. |
|
The salt should be randomly generated per-password so that an attacker can't create a new rainbow table to crack all passwords from a Mantis database in parallel. It might be best to add a new crypto_api that handles this sort of stuff using more modern PHP methods such as hash()? |
|
Where does the function sha256() in the patch come from? It's not a php core function. sha1() exists. I would also suggest to use sha265/sha512 with dynamic salt and hash(). |
|
What the state of this request? |
|
What's the status on this? The fact that MD5 is still the default option in 2017 is alarming, especially since it is preferred over crypt() (which could offer much more secure hashes like bcrypt) without any obvious explanation. |
|
It does not make much sense to implement SHA1 / SHA256 nowadays. BCRYPT is a much better option for hashing passwords, and is now offered by PHP as default method via password_hash() function. I am therefore resolving this issue as "won't fix"; please follow-up in 0022839 for implementation of BCRYPT as default login method in future releases of MantisBT. |
|