[Mifos-issues] [JIRA Studio] Created: (MIFOS-4342) Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.
Adam Feuer (JIRA)
---------------------------------------------------------------------------------------------------------------------------------
Key: MIFOS-4342
URL: http://mifosforge.jira.com/browse/MIFOS-4342
Project: mifos
Issue Type: Bug
Components: Authentication
Affects Versions: Release E - Iteration 11
Reporter: Adam Feuer
Priority: Major
Mifos stores passwords using the SHA hash function. This is a known problem, as hashed passwords can be quickly cracked using modern techniques. Salting SHA hashes does not fix the problem.
The solution is to use a modern cryptography function specifically designed for passwords, such as bcrypt. bcrypt has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
For more information see:
Java bCrypt library, BSD license
http://www.mindrot.org/projects/jBCrypt/
Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#
On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
http://p.sf.net/sfu/lotusphere-d2d
_______________________________________________
Mifos-issues mailing list
Mifos-...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mifos-issues
jbrewster (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=63018#action_63018 ]
jbrewster commented on MIFOS-4342:
----------------------------------
if we change this, we need to remember to address our init password script that we ship in our zip file.
> Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
Kay Chau (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kay Chau updated MIFOS-4342:
----------------------------
Fix Version/s: Elsie F
Assignee: mifosdeveloperqueue
> Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
Adam Feuer (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=63022#action_63022 ]
Adam Feuer commented on MIFOS-4342:
-----------------------------------
Note that we may have to include a small commandline utility to change the password in the database - as bcrypt is not built in to MySQL.
Also note that we will need to require all users to change their passwords after the upgrade, since we don't store the password - we only store the SHA hash.
> Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Bug
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
Udai Gupta (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Udai Gupta updated MIFOS-4342:
------------------------------
Description:
Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
http://www.openbsd.org/papers/bcrypt-paper.ps
OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
For more information see:
Java OpenBSD's Blowfish password hashing library, BSD license
http://www.mindrot.org/projects/jBCrypt/
Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#
On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
was:
Mifos stores passwords using the SHA hash function. This is a known problem, as hashed passwords can be quickly cracked using modern techniques. Salting SHA hashes does not fix the problem.
The solution is to use a modern cryptography function specifically designed for passwords, such as bcrypt. bcrypt has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
For more information see:
Java bCrypt library, BSD license
http://www.mindrot.org/projects/jBCrypt/
Background info:
http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
http://codahale.com/how-to-safely-store-a-password/#
On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
Issue Type: Improvement (was: Bug)
Summary: Migrate to stroger password storage mechanism, resistant to modern cracking techniques (was: Passwords authentication data is stored in SHA hashed form. Store them in a form that is resistant to modern cracking techniques.)
> Migrate to stroger password storage mechanism, resistant to modern cracking techniques
> --------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
Udai Gupta (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=63060#action_63060 ]
Udai Gupta commented on MIFOS-4342:
-----------------------------------
bcrypt is not supported in spring-security https://jira.springsource.org/browse/SEC-1472 (won't fix).
> Migrate to stroger password storage mechanism, resistant to modern cracking techniques
> --------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
Udai Gupta (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=63062#action_63062 ]
Udai Gupta commented on MIFOS-4342:
-----------------------------------
Approach to migrate to bcrypt.
- Add feature to force accounts to expire in one month from last login (later can be adjusted to a year)
- Create a batch job which will set the hash column as null once the account is expired.
- Create new columns to store [hardness (short), hash (string) default null]
- Create code which will take the password from user at login and store it in new column and make to previous md5+salt hash null
- Drop the old password column and remove the migration code in next to next release (G?)
Nothing required to be done externally, users would not notice anything, only expiration of account would be a new feature.
I would also like to add that we should think about the strength of the password that can be entered in Mifos as separate feature.
> Migrate to stroger password storage mechanism, resistant to modern cracking techniques
> --------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
Udai Gupta (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=63062#action_63062 ]
Udai Gupta edited comment on MIFOS-4342 at 12/20/10 5:25 AM:
-------------------------------------------------------------
Approach to migrate to bcrypt.
- Add feature to force accounts to expire in one month from last login (later can be adjusted to a year)
- Create a batch job which will set the hash column as null once the account is expired.
- Create new columns to store \[hardness (short), hash (string) default null\]
- Create code which will take the password from user at login and store it in new column and make to previous md5+salt hash null
- Drop the old password column and remove the migration code in next to next release (G?)
Nothing required to be done externally, users would not notice anything, only expiration of account would be a new feature.
I would also like to add that we should think about the strength of the password that can be entered in Mifos as separate feature.
was (Author: ugupta):
Approach to migrate to bcrypt.
- Add feature to force accounts to expire in one month from last login (later can be adjusted to a year)
- Create a batch job which will set the hash column as null once the account is expired.
- Create new columns to store [hardness (short), hash (string) default null]
- Create code which will take the password from user at login and store it in new column and make to previous md5+salt hash null
- Drop the old password column and remove the migration code in next to next release (G?)
Nothing required to be done externally, users would not notice anything, only expiration of account would be a new feature.
I would also like to add that we should think about the strength of the password that can be entered in Mifos as separate feature.
> Migrate to stroger password storage mechanism, resistant to modern cracking techniques
> --------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
Kay Chau (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kay Chau updated MIFOS-4342:
----------------------------
Summary: Migrate to stronger password storage mechanism, resistant to modern cracking techniques (was: Migrate to stroger password storage mechanism, resistant to modern cracking techniques)
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Elsie F
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
Kay Chau (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Kay Chau updated MIFOS-4342:
----------------------------
Fix Version/s: (was: Elsie F)
Release G
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://mifosforge.jira.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
Mifos Hudson Jira Plugin User (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67166#comment-67166 ]
Mifos Hudson Jira Plugin User commented on MIFOS-4342:
------------------------------------------------------
Integrated in !http://ci.mifos.org/hudson/images/16x16/yellow.png! [head-master-secondary #360|http://ci.mifos.org/hudson/job/head-master-secondary/360/]
[MIFOS-4342] fix integration tests
Łukasz Domżalski :
Files :
* application/src/test/java/org/mifos/customers/client/struts/action/ClientTransferActionStrutsTest.java
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Mifos Hudson Jira Plugin User (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67172#comment-67172 ]
Mifos Hudson Jira Plugin User commented on MIFOS-4342:
------------------------------------------------------
Integrated in !http://ci.mifos.org/hudson/images/16x16/blue.png! [head-master-secondary #361|http://ci.mifos.org/hudson/job/head-master-secondary/361/]
Revert "[MIFOS-4342] fix integration tests"
Revert "[MIFOS-4342] migrate to Bcrypt - accont expire functionality"
Revert "[MIFOS-4342] migrate to Bcrypt - change encrypt algorithm to Bcrypt"
Łukasz Domżalski :
Files :
* application/src/test/java/org/mifos/customers/client/struts/action/ClientTransferActionStrutsTest.java
Łukasz Domżalski :
Files :
* db/src/main/resources/sql/base-data.sql
* appdomain/src/main/java/org/mifos/application/servicefacade/LoginServiceFacadeWebTier.java
* application/src/main/java/org/mifos/security/authentication/MifosDaoAuthenticationProvider.java
* appdomain/src/main/java/org/mifos/customers/personnel/persistence/PersonnelDaoHibernate.java
* db/src/test/resources/sql/acceptance_test_dump.sql
* db/pom.xml
* organization/src/main/java/org/mifos/customers/personnel/business/PersonnelBO.java
Łukasz Domżalski :
Files :
* organization/src/main/java/org/mifos/security/authentication/EncryptionService.java
* appdomain/src/main/java/org/mifos/application/servicefacade/LoginServiceFacadeWebTier.java
* organization/src/main/java/org/mifos/security/authentication/PasswordHashing.java
* serviceInterfaces/src/main/java/org/mifos/security/MifosUser.java
* application/src/main/java/org/mifos/security/authentication/MifosDaoAuthenticationProvider.java
* appdomain/src/main/resources/org/mifos/customers/personnel/business/PersonnelBO.hbm.xml
* organization/pom.xml
* appdomain/src/main/java/org/mifos/builders/MifosUserBuilder.java
* appdomain/src/main/java/org/mifos/customers/personnel/persistence/PersonnelDaoHibernate.java
* organization/src/main/java/org/mifos/customers/personnel/business/PersonnelBO.java
* application/src/main/java/org/mifos/framework/components/batchjobs/helpers/SavingsIntPostingHelper.java
* db/src/main/resources/changesets/changelog-Release_G.xml
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Adam Monsen (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67193#comment-67193 ]
Adam Monsen commented on MIFOS-4342:
------------------------------------
Hmm, looks like pushing this code was maybe accidental, then reverted, then moved to a branch? Is that what happened?
Was this maybe also running on the main test server for a while? http://ci.mifos.org:8085/mifos/ seems broken:
{noformat}
java.lang.NullPointerException
at java.lang.System.arraycopy(Native Method)
at org.mifos.security.authentication.PasswordHashing.verifyPassword(PasswordHashing.java:70)
...
{noformat}
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Łukasz Domżalski (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Łukasz Domżalski resolved MIFOS-4342.
-------------------------------------
Resolution: Fixed
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Łukasz Domżalski (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67230#comment-67230 ]
Łukasz Domżalski commented on MIFOS-4342:
-----------------------------------------
done in hudsonBuild-MIFOS-4342 branch
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release G
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Lukasz Chudy (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Chudy updated MIFOS-4342:
--------------------------------
Fix Version/s: (was: Release G)
Release H
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release H
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Van Mittal-Henkle (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67290#comment-67290 ]
Van Mittal-Henkle commented on MIFOS-4342:
------------------------------------------
Lukasz, can you confirm that the init_password.sql script has been updated to use the new encryption method.
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release H
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
Łukasz Domżalski (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=67498#comment-67498 ]
Łukasz Domżalski commented on MIFOS-4342:
-----------------------------------------
I didn't update this file, because at the stage of migration is not necessary to update the init_password.sql script, it will be necessary at the stage of removing the migration code.
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release H
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
Lukasz Chudy (Reopened) (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Chudy reopened MIFOS-4342:
---------------------------------
Changes related to that issue are only in hudsonBuild4342 branch.
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release H
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: http://mifosforge.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Lukasz Chudy (Issue Comment Edited) (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=71569#comment-71569 ]
Lukasz Chudy edited comment on MIFOS-4342 at 1/18/12 5:01 AM:
--------------------------------------------------------------
Changes related to that issue are only in hudsonBuild-MIFOS4342 branch.
was (Author: lukaszch):
Changes related to that issue are only in hudsonBuild4342 branch.
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Release H
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: http://mifosforge.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Lukasz Chudy (Updated) (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Chudy updated MIFOS-4342:
--------------------------------
Fix Version/s: (was: Release H)
Unscheduled
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: Łukasz Domżalski
> Priority: Major
> Labels: authentication, security
> Fix For: Unscheduled
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: http://mifosforge.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Lukasz Chudy (Assigned) (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lukasz Chudy reassigned MIFOS-4342:
-----------------------------------
Assignee: mifosdeveloperqueue (was: Łukasz Domżalski)
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Labels: authentication, security
> Fix For: Unscheduled
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: http://mifosforge.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
Chetan Bekkinkeri (Updated) (JIRA)
[ http://mifosforge.jira.com/browse/MIFOS-4342?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Chetan Bekkinkeri updated MIFOS-4342:
-------------------------------------
Implementation Priority: Could
> Migrate to stronger password storage mechanism, resistant to modern cracking techniques
> ---------------------------------------------------------------------------------------
>
> Key: MIFOS-4342
> URL: http://mifosforge.jira.com/browse/MIFOS-4342
> Project: mifos
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: Release E - Iteration 11
> Reporter: Adam Feuer
> Assignee: mifosdeveloperqueue
> Priority: Major
> Labels: authentication, security
> Fix For: Unscheduled
>
>
> Mifos stores passwords using the "salted(random) MD5 hash" storage, which is easy to break from computational point of view.
> The solution is to use a modern cryptography function specifically designed for passwords, such as OpenBSD's Blowfish password hashing.
> http://www.openbsd.org/papers/bcrypt-paper.ps
> OpenBSD's Blowfish password hashing has an adjustable "hardness" factor to enable the hardness of the cryptography to keep up with increasing computing power, making it considerably more difficult to crack a database of leaked passwords.
> For more information see:
> Java OpenBSD's Blowfish password hashing library, BSD license
> http://www.mindrot.org/projects/jBCrypt/
> Background info:
> http://paulbuchheit.blogspot.com/2007/09/quick-read-this-if-you-ever-store.html
> http://codahale.com/how-to-safely-store-a-password/#
> On the recent Gawker security breach, which involved the release of 1.3M accounts and passwords:
> http://www.duosecurity.com/blog/entry/brief_analysis_of_the_gawker_password_dump
> http://www.pcworld.com/businesscenter/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: http://mifosforge.jira.com/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/