View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
09567 | Feature requests | Security | public | 2015-03-17 12:35 | 2017-11-03 11:32 |
Reporter | leberger | Assigned To | DenisChenu | ||
Priority | normal | Severity | feature | ||
Status | closed | Resolution | reopened | ||
Summary | 09567: no salt used for password hashing. | ||||
Description | Apparently, no salts are used for passwords. | ||||
Additional Information | Hint to solve this problem. https://crackstation.net/hashing-security.htm When implementing this, you can either force the users to reset their password (so that you have ONLY salted passwords), or keep the old password "retro compatible" (thus salt is an empty string). However, if you prefer the second option, we should encourage admins to force the reset of all passwords. | ||||
Tags | No tags attached. | ||||
Bug heat | 256 | ||||
Story point estimate | |||||
Users affected % | |||||
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/core/plugins/Authdb/Authdb.php#L119 hash('sha256', $password) |
|
No salt rigth |
|
Maybe adding 2 salt and update it at each login. One current (empty at start for old user), one next. Compare password with crypted pasword ith current hash and save it with future hash after. Move futire to current and create a new one for future. |
|
Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=24369 |
|
LimeSurvey: develop f5aa619f 2017-10-30 18:44:02 Committer: |
Fixed issue 09567: no salt used for password hashing. Fixed issue : Unable to update user on User management Fixed issue : unsave user params show as success Dev: usage password_hash/password_verify Dev: move all function to model (not to plugin (?)) Dev: don't find other one, but sill search for it |
Affected Issues 09567 |
|
mod - application/commands/ResetPasswordCommand.php | Diff File | ||
mod - application/controllers/InstallerController.php | Diff File | ||
mod - application/controllers/admin/authentication.php | Diff File | ||
mod - application/controllers/admin/useraction.php | Diff File | ||
mod - application/core/UserIdentity.php | Diff File | ||
mod - application/core/plugins/Authdb/Authdb.php | Diff File | ||
mod - application/core/plugins/Authwebserver/Authwebserver.php | Diff File | ||
mod - application/models/User.php | Diff File |
Date Modified | Username | Field | Change |
---|---|---|---|
2015-03-17 12:35 | leberger | New Issue | |
2015-03-21 11:27 | DenisChenu | Note Added: 31874 | |
2015-03-21 11:27 | DenisChenu | Status | new => closed |
2015-03-21 11:27 | DenisChenu | Assigned To | => DenisChenu |
2015-03-21 11:27 | DenisChenu | Resolution | open => no change required |
2015-03-21 11:27 | DenisChenu | Fixed in Version | => 2.00+ |
2015-03-21 11:29 | DenisChenu | Assigned To | DenisChenu => |
2015-03-21 11:29 | DenisChenu | Note Added: 31875 | |
2015-03-21 11:29 | DenisChenu | Status | closed => feedback |
2015-03-21 11:29 | DenisChenu | Resolution | no change required => reopened |
2015-03-21 11:29 | DenisChenu | Status | feedback => new |
2015-04-06 19:02 | technojoe | Issue Monitored: technojoe | |
2017-10-10 16:33 | DenisChenu | Note Added: 44563 | |
2017-10-21 17:33 | DenisChenu | Assigned To | => DenisChenu |
2017-10-21 17:33 | DenisChenu | Status | new => assigned |
2017-10-21 17:36 | DenisChenu | Note Added: 44778 | |
2017-10-31 15:02 | DenisChenu | Note Added: 44912 | |
2017-11-01 13:35 |
|
Changeset attached | => LimeSurvey develop f5aa619f |
2017-11-01 13:35 |
|
Note Added: 44919 | |
2017-11-03 11:32 |
|
Status | assigned => closed |
2017-11-03 11:32 |
|
Fixed in Version | 2.00+ => develop |
2021-08-02 17:18 | guest | Bug heat | 254 => 256 |