[
http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67193#comment-67193
]
Adam Monsen commented on MIFOS-4342:
------------------------------------
Hmm, looks like pushing this code was maybe accidental, then reverted, then
moved to a branch? Is that what happened?
Was this maybe also running on the main test server for a while?
http://ci.mifos.org:8085/mifos/ seems broken:
{noformat}
java.lang.NullPointerException
at java.lang.System.arraycopy(Native Method)
at
org.mifos.security.authentication.PasswordHashing.verifyPassword(PasswordHashing.java:70)
...
{noformat}
> Migrate to stronger password storage mechanism, resistant to modern cracking
> techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is
> easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed
> for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to
> enable the hardness of the cryptography to keep up with increasing computing
> power, making it considerably more difficult to crack a database of leaked
> passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M
> accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Mifos-issues mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-issues
