> Hi all, > I am currently reviewing [1] as part of SYNCOPE-276 and I've just realized > that, since SYNCOPE-51 removed support for MD5 (as password cipher algorithm), we might have a considerable upgrade problem. > > What about an existing 1.0.X installation with MD5 passwords? When upgrading > to 1.1.0, any user won't be able to authenticate any more because the values of 'password' column in 'SyncopeUser' table cannot be verified with any of available cipher algorithm. > > What can we suggest as best practice in this case? > > IMO we can provide a class extending SyncopeAuthenticationProvider [2], able > to check authentication for MD5 users and leaving to SyncopeAuthenticationProvider for the rest. This new authenticator can be then configured in securityContext.xml [3] allowing people to keep this as temporary workaround, until all users have changed their password with the new configured cipher algorithm. > > WDYT? Can you think of a better alternative?
If I understand it correctly, the disadvantage of this approach would be that the hash of a user stays vulnerable until she changes her password. IMO a more secure but also more complicated approach for migration would be to rehash the MD5 password hashes in a secure way. It seems that Drupal followed such an approach: http://drupal.org/node/1349758 If one wants to have hashes based on a standard algorithms, one could in addition change such a rehashed hash to a standard (e.g. bcrypt) hash once the user logs in and Syncope sees the password in clear (possibly this could also be done by SyncopeAuthenticationProvider). http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html describes such an approach. There also was an interesting discussion on migration of MD5 passwords on stackoverflow: http://stackoverflow.com/questions/10771198/migrate-old-md5-passwords-to-bcrypt-passwords Cheers, Guido
