[
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kay Chau updated MIFOS-4342:
----------------------------
Summary: Migrate to stronger password storage mechanism, resistant to
modern cracking techniques (was: Migrate to stroger password storage
mechanism, resistant to modern cracking techniques)
> Migrate to stronger password storage mechanism, resistant to modern cracking
> techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed
> for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to
> enable the hardness of the cryptography to keep up with increasing computing
> power, making it considerably more difficult to crack a database of leaked
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues
