We have moved to GitHub Issues
Created by Sebastiaan Janssen 19 Aug 2012, 14:54:47 Updated by Shannon Deminick 16 Feb 2014, 23:58:19
Passwords should be hashed AND salted
From OWASP: If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks to hashing only the password:
''Originally created on CodePlex by [Myster|http://www.codeplex.com/site/users/view/Myster]'' on 6/21/2012 2:17:47 AM [Codeplex ID: 30855 - Codeplex Votes: 2]
''Comment by [leekelleher|http://www.codeplex.com/site/users/view/leekelleher] on 6/21/2012 2:40:21 PM:'' Umbraco uses HMACSHA1 to encrypt the passwords, using the password itself as the salt/key.
I am no security expert, so can't comment on how secure that actually is, but it does seem pretty secure.
''Comment by [Myster|http://www.codeplex.com/site/users/view/Myster] on 7/13/2012 9:48:53 AM:'' One reason for salting is to prevent the use of a rainbow table to get passwords from the hash. Using the password as the salt would not mitigate that.
A couple of articles from Troy Hunt - passwords and how they are hacked (http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html) and the stronger password hashing options in .NET with MS universal providers (http://www.troyhunt.com/2012/07/stronger-password-hashing-in-net-with.html).
Oh well, it was a good idea once upon a time.... now what?
The article by Troy Hunt quoted above, suggests that even if the salt is changed an attacker can still break the passwords in minutes as opposed to seconds. Is there any benefit in changing this? If passwords can be cracked that quickly then surely the security of the database needs to be the priority - they can only crack passwords if they can get at the data in the first place.
one suggestion is to have a app specific salt + a user specific salt, so the database and (wherever the app specific salt is stored) must both be compromised. Troy also mentions security is never going to be 100% ... or perhaps just an app specific salt (saves changing the schema)
Passwords are properly salted when stored as hashes with the new membership providers in 6.2/7.1. The new providers also respect the hashing algorithm specified in the web.config - and in .net 4.5 the default algorithm is much stronger anyways (HMACSHA256). ... So in any case, it is much better than what it was before.
Assignee: Shannon Deminick
Backwards Compatible: True
Due in version: 7.1.0, 6.2.0