[Owncloud] Salt
Klaas Freitag
freitag at owncloud.com
Fri Jun 8 08:45:08 UTC 2012
On 08.06.2012 10:30, Frank Karlitschek wrote:
> Hi Andreas,
>
> thanks for the hint. Waiting for your patch ;-)
>
> The challenge is that we can´t implement it as usual and put a salt into the code. This would be useless because the code is open source.
Yes, the salt needs to be an admin salt stalled somewhere out of the code.
>
> So the salt has to be different for every installation. We could generate a random salt during installation and store it in the config file. The admin has to understand that the user database can´t be migrated to a different host without the config.php entry. This is not a protection if the server is completely cracked as the one from linkedin was because the salt is stored in cleartext on server.
Sure, but I don't think people expect to be able to migrate users on
that level. Either you migrate the whole UserDB incl. Salt, or you have
another idiom identifying the user one both systems, ie. a account name,
such as Frank here == Frank there.
AFAIK we don't have that, we identify the user by id so far. I suggest
to change that and have a user identifying string (many systems use
email here, but thats a false friend imo).
BTW - here is an interesting blog that helped me to understand:
http://pbeblog.wordpress.com/2008/02/12/secure-hashes-in-php-using-salt/
Klaas
More information about the Owncloud
mailing list