Feature #26786
Use a safe password hashing mechanism
| Status: | Resolved | Start date: | 2011-05-12 | |
|---|---|---|---|---|
| Priority: | Must have | Due date: | ||
| Assigned To: | Christopher Hlubek | % Done: | 100% |
|
| Category: | - | |||
| Target version: | 1.0 beta 1 |
Description
The current AccountFactory uses the generateSaltedMd5 method of the HashService. Since MD5 is considered to be not safe, we should switch to either sha1 or another method for password hashing (e.g. also use an hmac).
Related issues
Associated revisions
[!!!][FEATURE] Implement a safe password hashing mechanism using PBKDF2
This change implements a configurable password hashing strategy for
the hash service and a PBKDF2 based password hashing strategy which
generates strong hashed passwords and uses multiple iterations for
brute-force protection.
To use the old salted MD5 hashing, the password hashing strategy
may be replaced in the Objects.yaml.
Change-Id: I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc
Resolves: #26786
History
#1 Updated by Christopher Hlubek about 4 years ago
I would suppose to use a standardized and proven way of creating password hashes for storage: see http://en.wikipedia.org/wiki/PBKDF2 and http://www.itnewb.com/v/Encrypting-Passwords-with-PHP-for-Storage-Using-the-RSA-PBKDF2-Standard
With a decent iteration count (> 10,000) it should be considered safe for now.
#2 Updated by Mr. Hudson about 4 years ago
Patch set 1 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332
#3 Updated by Mr. Hudson about 4 years ago
Patch set 2 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332
#4 Updated by Christopher Hlubek about 4 years ago
- Status changed from New to Under Review
- Assigned To set to Christopher Hlubek
I implemented a PBKDF2 based password hashing and refactored the hash service to enable configurable password hashing strategies.
#5 Updated by Mr. Hudson about 4 years ago
Patch set 4 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332
#6 Updated by Mr. Hudson about 4 years ago
Patch set 5 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332
#7 Updated by Mr. Hudson about 4 years ago
Patch set 6 of change I9d365a9eab3930433f49faf9e7c8c5fbb1166dcc has been pushed to the review server.
It is available at http://review.typo3.org/2332
#8 Updated by Christopher Hlubek about 4 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:ad4c9a7e4e6950c16c4a2cf138bafe69958af8ca.