Hashing and security (password strength)
154 views
Skip to first unread message
Roman
Apr 6, 2012, 7:09:22 AM4/6/12
to silverst...@googlegroups.com
Hello SilverStripe developers.
Jeff Atwood (stackoverflow) just posted an interesting post about
hashing and how much processing time is needed to calculate passwords
using modern GPUs.
http://www.codinghorror.com/blog/2012/04/speed-hashing.html
I thought this might be interesting for the SilverStripe developer
community and also brings up the question if there's room for
improvement for that in sapphire? Are the hashes already generated with
something like bcrypt? Or is MD5 still the hashing method of choice?
xeraa
Apr 6, 2012, 7:15:14 AM4/6/12
to silverst...@googlegroups.com
Hi,
MD5 alone would be pretty bad.
At least in SS 2.4 the default is IMHO a salted SHA1 (take a look at the MemberPassword table).
Cheers, Philipp
Ingo Schommer
Apr 6, 2012, 1:32:49 PM4/6/12
to silverst...@googlegroups.com
Hello!
We're using sha1, and salt with whirlpool, plus the best entropy generator available on the architecture:
You can change the algo from sha1 to bcrypt in your installation.
Haven't read through the post (yet), so can't comment on how safe our default approach is based on the latest findings.
All the best
Ingo
Marcus Nyeholt
Apr 8, 2012, 12:22:05 AM4/8/12
to silverst...@googlegroups.com
One of the main points of the post was that brute force generating ALL possible passwords (up to 8 chars) for certain kinds of hashes is relatively simple (timewise) to do these days, by paralleling code over multiple GPUs which seem to be really good at that kind of thing.
Salting passwords is next to useless if the salt is just as available as the hashed password (if someone can get your password hashes, they probably have the salts) - given the approach is not using rainbow table lookups but brute force searching
Cheers,
Marcus
--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To post to this group, send email to silverst...@googlegroups.com.
To unsubscribe from this group, send email to silverstripe-d...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/silverstripe-dev?hl=en.
Sam Minnée
Apr 9, 2012, 3:36:16 AM4/9/12
to silverst...@googlegroups.com
We probably want to amend the default has to use blowfish aka bcrypt. Since the hashing algorithm is stored row by row, this won't cause upgrading hassles.
Given we're using sha1 and not md5 at the moment, I don't think it's so critical that it requires a 2.4.x security release, but we should probably change the default for 3.0.
Given we're using sha1 and not md5 at the moment, I don't think it's so critical that it requires a 2.4.x security release, but we should probably change the default for 3.0.
-------
Sam Minnée | Chief Executive Officer
SilverStripe
http://silverstripe.com
Phone: +64 4 978 7334
Skype: sam.minnee
Sam Minnée
Apr 9, 2012, 3:38:37 AM4/9/12
to silverst...@googlegroups.com
And lo, there was a ticket: http://open.silverstripe.org/ticket/7111
On 7/04/2012, at 5:32 AM, Ingo Schommer wrote:
Ingo Schommer
May 2, 2012, 9:10:50 AM5/2/12
to silverst...@googlegroups.com
And behold, Andy fixed it :)
Reply all
Reply to author
Forward
0 new messages