[Owncloud] Salt
Frank Karlitschek
frank at owncloud.org
Fri Jun 8 08:30:54 UTC 2012
Hi Andreas,
thanks for the hint. Waiting for your patch ;-)
The challenge is that we can´t implement it as usual and put a salt into the code. This would be useless because the code is open source.
So the salt has to be different for every installation. We could generate a random salt during installation and store it in the config file. The admin has to understand that the user database can´t be migrated to a different host without the config.php entry. This is not a protection if the server is completely cracked as the one from linkedin was because the salt is stored in cleartext on server.
Obviously this only help if someone used the internal ownCloud usermanagement and has no effect if LDAP or any other user backend is used.
Suggestions?
Frank
On 08.06.2012, at 10:15, Andreas Schneider <asn at cryptomilk.org> wrote:
> You know there is this rocket sience technology from the 70ies. It is called
> salt in cryptography. I suggested several times to use salting in owncloud but
> we still don't have it.
>
> First linkedin:
> http://www.h-online.com/security/news/item/LinkedIn-confirms-that-user-
> passwords-were-compromised-1612554.html
>
> then last.fm:
> http://www.lastfm.de/passwordsecurity
>
>
> next: your owncloud installation ...
>
>
>
> -- andreas
>
>
>
>
> --
> Andreas Schneider GPG-ID: F33E3FC6
> www.cryptomilk.org asn at cryptomilk.org
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud
More information about the Owncloud
mailing list