Clojars security upgrade

334 views

Skip to first unread message

Phil Hagelberg

unread,

Mar 9, 2012, 5:22:30 PM3/9/12

to clo...@googlegroups.com

Hello folks!

In light of the recent break-in to the Node.js package hosting site
(https://gist.github.com/2001456), I've decided to bump the priority of
increasing the security on Clojars. I've deployed a fix that uses bcrypt
(http://codahale.com/how-to-safely-store-a-password/) for password
hashing. The first time you log in, it will re-hash your password using
bcrypt and wipe the old weak hash.

Note that Clojars has NOT had a security breach at this time. This is a
preventative measure to protect your password in the event of a future
breach. We are also looking into allowing signed jars (and possibly
requiring them for releases). If you're interested in helping out with
this effort, (design or code) please join the clojars-maintainers
mailing list: http://groups.google.com/group/clojars-maintainers

Because we can't ensure that everyone will log in to re-hash their
password, at some point in the future (probably 2-3 weeks out) we will
WIPE all the old password hashes. Otherwise users who have stopped using
Clojars or missed the announcement could have their passwords exposed in
the event of a future break-in. I will be sure to send out a few more
warnings before this happens, but even if your password has been wiped
it's easy to reset it via the "forgot password" functionality.

If you have any applications storing passwords hashed with SHA1 (even if
you use a salt) I highly recommend you take the same steps; refer to
http://codahale.com/how-to-safely-store-a-password/ for details.

tl;dr: please log into Clojars to re-hash your password.

Thanks for your attention.

-Phil

Phil Hagelberg

unread,

Apr 20, 2012, 1:56:20 PM4/20/12

to clo...@googlegroups.com

On Fri, Mar 9, 2012 at 2:22 PM, Phil Hagelberg <ph...@hagelb.org> wrote:
> Because we can't ensure that everyone will log in to re-hash their
> password, at some point in the future (probably 2-3 weeks out) we will
> WIPE all the old password hashes. Otherwise users who have stopped using
> Clojars or missed the announcement could have their passwords exposed in
> the event of a future break-in. I will be sure to send out a few more
> warnings before this happens, but even if your password has been wiped
> it's easy to reset it via the "forgot password" functionality.

Just a heads-up that I am planning on wiping the insecure hashes next
week. If you don't login in time your account will still be accessible

via the forgot password functionality.

-Phil

Reply all

Reply to author

Forward

0 new messages