You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by Bob Lannoy <bo...@gmail.com> on 2012/06/21 09:23:22 UTC

Password storage

Hi guys,

you probably read the news of LinkedIn passwords being hacked.
This got me somewhat worried since even SHA hashed passwords are that safe
anymore the way they are stored now in Syncope.
So I took a little stroll on the internet. Maybe this can serve as some
reference documentation for the implementation.

In the roadmap you have "Remove MD5 as a supported password cipher
algorithm (SYNCOPE-51 <https://issues.apache.org/jira/browse/SYNCOPE-51>)"
but I think this should be extended.
It would be best to add other password mechanisms that include salting and
stretching of passwords (see links).
This would mean that an extra attribute has to be added to the user (salt)
which can be used for that purpose.
You would be able to keep the old ones for backward compatibility and
include new ones which are a lot safer.
Apparently PBKDF2 is considered a secure mechanism.

Some reading material:
https://www.owasp.org/index.php/Hashing_Java
http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
http://throwingfire.com/storing-passwords-securely/


Another remark, I find it strange that when reading a user object I can get
the password. Wouldn't it make more sense to let this inside core?

best regards

Bob

Re: Password storage

Posted by Bob Lannoy <bo...@gmail.com>.

Hi,

Interesting library.
The hashed password also contains the salt, so there would be no need to
have a salt property on the user.

Bob
On Jun 21, 2012 11:18 AM, "Jesse van Bekkum" <be...@gmail.com> wrote:

> Just to make you guys aware, have a look at this library jasypt (
> http://www.jasypt.org/).
>
> It provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box.
>
> Jesse van Bekkum
>
> On Thu, Jun 21, 2012 at 10:54 AM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
> > On 21/06/2012 09:23, Bob Lannoy wrote:
> >
> >> Hi guys,
> >>
> >>
> >> Some reading material:
> >> https://www.owasp.org/index.**php/Hashing_Java<
> https://www.owasp.org/index.php/Hashing_Java>
> >> http://jerryorr.blogspot.be/**2012/05/secure-password-**
> >> storage-lots-of-donts.html<
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> >
> >> http://throwingfire.com/**storing-passwords-securely/<
> http://throwingfire.com/storing-passwords-securely/>
> >>
> >
> > Nice insight: I'll add this to the roadmap.
> >
> >
> >  Another remark, I find it strange that when reading a user object I can
> >> get
> >> the password. Wouldn't it make more sense to let this inside core?
> >>
> >
> > Don't worry: the password you will get is encrypted with the selected
> > algorithm.
> >
> > Regards.
> >
> > --
> > Francesco Chicchiriccò
> >
> > ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
> > http://people.apache.org/~**ilgrosso/<
> http://people.apache.org/~ilgrosso/>
> >
> >
>

Re: Password storage

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 21/06/2012 11:17, Jesse van Bekkum wrote:
> Just to make you guys aware, have a look at this library jasypt (
> http://www.jasypt.org/).
>
> It provides all the things mentioned in the articles, such as hashing,
> salting and iteration out of the box.

Thanks for pointing this, Jesse: I've updated SYNCOPE-100 with this.

Regards.

> On Thu, Jun 21, 2012 at 10:54 AM, Francesco Chicchiriccò <
> ilgrosso@apache.org> wrote:
>
>> On 21/06/2012 09:23, Bob Lannoy wrote:
>>
>>> Hi guys,
>>>
>>>
>>> Some reading material:
>>> https://www.owasp.org/index.**php/Hashing_Java<https://www.owasp.org/index.php/Hashing_Java>
>>> http://jerryorr.blogspot.be/**2012/05/secure-password-**
>>> storage-lots-of-donts.html<http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html>
>>> http://throwingfire.com/**storing-passwords-securely/<http://throwingfire.com/storing-passwords-securely/>
>>>
>> Nice insight: I'll add this to the roadmap.
>>
>>
>>   Another remark, I find it strange that when reading a user object I can
>>> get
>>> the password. Wouldn't it make more sense to let this inside core?
>>>
>> Don't worry: the password you will get is encrypted with the selected
>> algorithm.
>>
>> Regards.

-- 
Francesco Chicchiriccò

ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/

Re: Password storage

Posted by Jesse van Bekkum <be...@gmail.com>.

Just to make you guys aware, have a look at this library jasypt (
http://www.jasypt.org/).

It provides all the things mentioned in the articles, such as hashing,
salting and iteration out of the box.

Jesse van Bekkum

On Thu, Jun 21, 2012 at 10:54 AM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:

> On 21/06/2012 09:23, Bob Lannoy wrote:
>
>> Hi guys,
>>
>>
>> Some reading material:
>> https://www.owasp.org/index.**php/Hashing_Java<https://www.owasp.org/index.php/Hashing_Java>
>> http://jerryorr.blogspot.be/**2012/05/secure-password-**
>> storage-lots-of-donts.html<http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html>
>> http://throwingfire.com/**storing-passwords-securely/<http://throwingfire.com/storing-passwords-securely/>
>>
>
> Nice insight: I'll add this to the roadmap.
>
>
>  Another remark, I find it strange that when reading a user object I can
>> get
>> the password. Wouldn't it make more sense to let this inside core?
>>
>
> Don't worry: the password you will get is encrypted with the selected
> algorithm.
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
> http://people.apache.org/~**ilgrosso/<http://people.apache.org/~ilgrosso/>
>
>

Re: Password storage

Posted by Francesco Chicchiriccò <il...@apache.org>.

On 21/06/2012 09:23, Bob Lannoy wrote:
> Hi guys,
>
> you probably read the news of LinkedIn passwords being hacked.
> This got me somewhat worried since even SHA hashed passwords are that safe
> anymore the way they are stored now in Syncope.
> So I took a little stroll on the internet. Maybe this can serve as some
> reference documentation for the implementation.
>
> In the roadmap you have "Remove MD5 as a supported password cipher
> algorithm (SYNCOPE-51 <https://issues.apache.org/jira/browse/SYNCOPE-51>)"
> but I think this should be extended.
> It would be best to add other password mechanisms that include salting and
> stretching of passwords (see links).
> This would mean that an extra attribute has to be added to the user (salt)
> which can be used for that purpose.
> You would be able to keep the old ones for backward compatibility and
> include new ones which are a lot safer.
> Apparently PBKDF2 is considered a secure mechanism.
>
> Some reading material:
> https://www.owasp.org/index.php/Hashing_Java
> http://jerryorr.blogspot.be/2012/05/secure-password-storage-lots-of-donts.html
> http://throwingfire.com/storing-passwords-securely/

Nice insight: I'll add this to the roadmap.

> Another remark, I find it strange that when reading a user object I can get
> the password. Wouldn't it make more sense to let this inside core?

Don't worry: the password you will get is encrypted with the selected 
algorithm.

Regards.

-- 
Francesco Chicchiriccò

ASF Member, Apache Cocoon PMC and Apache Syncope PPMC Member
http://people.apache.org/~ilgrosso/