WebGUI - Secure Password Storage - Content Management System Website - CMS - Open Source Content Management System Website - Website System - Content Management System (CMS) | Open Source Content Management Software | Application Framework | WebGUI - Content Management System Website | CMS | WebGUI | Open Source Content Management System Website

Username Password

Home Features Sightings Download Partners Community

Community Support
Wiki
Forums
Report A Bug
Request Features
WebGUI TV
Marketplace
Calendar
webGUI in the news
Karma
API Docs
Roadmap
the people behind wg
webgui worldwide
Mascot
wallpapers
Stats
powered by icons

View All Tickets

Secure Password Storage (#10426)

Issue

WebGUI currently stores passwords as a simple MD5 hash. This is certainly better than storing the passwords in cleartext, but if access to the WebGUI database is compromised, it would be relatively easy for an attacker to recover the cleartext of the passwords via a precomputed hash dictionary (a rainbow table).

This sort of attack can me made impractical by using stronger hashing methods of the type described here. Essentially, random salt is added to the password and stored alongside the hash, and adaptive hashing is used to make a brute force attack more expensive.

A scheme like this could be used to hash passwords. For backwards compatibility, we could use plain MD5 hashing for accounts with no stored salt, and put all new passwords through the new algorithm.

Comments

ehab 5/31/2009 5:37 pm	If this is done then integrating WebGUI to other systems using the same username and password becomes much much harder. Please do not do this if you do not keep the old way.
frodwith 6/1/2009 8:46 am	What do you mean by integrating with other systems? The above RFE refers only to the WebGUI auth module, and wouldn't affect other auth systems like LDAP, etc.
JT 6/5/2009 10:11 am	approved
frodwith 7/1/2009 1:59 pm	I have a patch that implements this, but we're in feature freeze right now. This will go into WebGUI 7.8 as soon as 7.7 goes stable.
Graham 7/8/2009 11:55 am	What ehab means is that there are a number of other systems that can authenticate against MD5 hashed passwords stored in a database like WebGUI uses currently. This makes it simple to have those other systems authenticate directly against WebGUI's user database.
frodwith 7/8/2009 12:05 pm	The proper thing to do in that case is move authentication to something that is designed to be a shared authentication store, like LDAP. Failing that, there is a simple WebGUI API for doing the check: WebGUI::Auth::WebGUI::hashPassword, same as it used to be. See the patch for examples of it being called.

Details

Ticket Status	Pending
Rating
Submitted By	frodwith
Date Submitted	2009-05-21
Assigned To	unassigned
Date Assigned	2010-03-17
Assigned By
What to improve?	WebGUI Stable
URL	rfe/request-for-enhancement/10426

Karma

Difficulty	30
Karma So Far	0
Karma Rank	0.00

Keywords

Related Files

bcrypt.patch

Ticket History

6/5/2009 10:11 AM	Difficulty changed to 30	JT
5/21/2009 4:03 PM	Ticket created	frodwith