Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3674

Support password salting and hash scheme upgrading

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • master
    • 3.7.0
    • None

    Description

      Currently, James does not use salt during password hashing, so its password database is vulnerable to rainbow table cracking if someone ever manages to steal it. Furthermore, there is no mechanism to upgrade user passwords to stronger/different hashing once they are created (cf. legacy hashing mode). This is a problem for any installation that does not employ an external LDAP user database.

      A simple solution is to include the user name as salt in the password hash. For this purpose, the hashingMode choices in usersrepository.xml should include an new mode "salted" in addition to "legacy" and "default".

      Additionally, the database should include an explicit column in the user table, which specifies the hashingMode of the stored password, and is used during verification. However, when a user changes the password,  the configured algorithm and hashingMode from usersrepository.xml will be used instead. This way, the database gradually upgrades over time to the preferred setting.

      T-Shirt size L.

      Attachments

        Activity

          People

            Unassigned Unassigned
            kotto Karsten Otto
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 7h 20m
                7h 20m