[Mifos-issues] [JIRA Studio] Updated: (MIFOS-4342) Migrate to stronger password storage mechanism, resistant to modern cracking techniques

Fri, 11 Feb 2011 11:07:33 -0800 

     [ 
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kay Chau updated MIFOS-4342:
----------------------------

    Fix Version/s:     (was: Elsie F)
                   Release G

> Migrate to stronger password storage mechanism, resistant to modern cracking 
> techniques
> ---------------------------------------------------------------------------------------
>
>                 Key: MIFOS-4342
>                 URL: http://mifosforge.jira.com/browse/MIFOS-4342
>             Project: mifos
>          Issue Type: Improvement
>          Components: Authentication
>    Affects Versions: Release E - Iteration 11
>            Reporter: Adam Feuer
>            Assignee: mifosdeveloperqueue
>            Priority: Major
>             Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is 
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed 
> for passwords, such as OpenBSD's Blowfish password hashing. 
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to 
> enable the hardness of the cryptography to keep up with increasing computing 
> power, making it considerably more difficult to crack a database of leaked 
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M 
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues

Reply via email to