Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
master
-
None
Description
Currently, James does not use salt during password hashing, so its password database is vulnerable to rainbow table cracking if someone ever manages to steal it. Furthermore, there is no mechanism to upgrade user passwords to stronger/different hashing once they are created (cf. legacy hashing mode). This is a problem for any installation that does not employ an external LDAP user database.
A simple solution is to include the user name as salt in the password hash. For this purpose, the hashingMode choices in usersrepository.xml should include an new mode "salted" in addition to "legacy" and "default".
Additionally, the database should include an explicit column in the user table, which specifies the hashingMode of the stored password, and is used during verification. However, when a user changes the password, the configured algorithm and hashingMode from usersrepository.xml will be used instead. This way, the database gradually upgrades over time to the preferred setting.
T-Shirt size L.
