[Owncloud] Salt
Hendrik v. Raven
hendrik at consetetur.de
Fri Jun 8 09:55:56 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/08/2012 11:40 AM, Frank Karlitschek wrote:
> O.K. I will add an option in the config.php file to set a salt
> which will be used to hash the passwords. This salt will be auto
> generated during setup.
If you want a secure storage for the passwords you should use a
hashing function which creates a new random salt for every user.
Otherwise attacks with rainbow tables are still possible. A single
salt for all users is better than no salt, but it's still bad.
Also a better hashing algorithm than MD5 would be a good idea. MD5 is
completely insecure for cryptographic reasons. Modern hashing
algorithms like SHA2 with a length of 256+ should be used for modern
software.
The crypt function of linux gives simple access to high quality crypto
algorithms like salted SHA256 or SHA512. They are stored in the form
$algorithmtype$salt$hash and are widely accepted to be secure. (see
https://en.wikipedia.org/wiki/Crypt_(Unix) )
> This means of course that your user accounts are lost if you only
> delete the config file but not the database. But this is probably
> the price of security.
If you store the salt together with the database you don't lose
anything as long as your database is valid. Copying of users between
systems should be possible as well.
Greetings,
Hendrik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP0cwsAAoJEHdhPr9WUBFmRdcP/3ci5YHjKOVu1FFXNpUNT9Qc
MtueALDGl9D57ZajDeHD/EI9PzTgB1t8dqKWAM30qrd3CSYLYHE0um/KuI1oXFAh
JnbFFf6igXoVXgMJFXGeNJvo7zbPQGqpTzp9iqG74rDvv32qvLnNT6t+S1FlZTHS
EYnevOE9J+UJK2EZVyVNwSM1d6FxGTmyRWpL2NP4AGCNRzV7G/YaD9yytrq69epm
pAqoAhiqpZnKeAJTfA0sc4ILntgFlVNouQpTtQNJlMm1OfMZfnbcrcnELcDrlnNC
2cCTIjTi2zw/io07KKRImqLRwL0MnA8mHYvAsRXrcTVAmSM+dJWTQCDSE7MdE9O8
8NVLMFxbdqGa7cJLma8u0VSQjmralW7crSoztWrsue9fKn5LDiFNs5atLMu8tvPj
nGBrY+nuApY0ZokM1BtJ0U8D0wC5pL3Git8+7wbPKMbrSNhqXZhW+akqzb3mGjhF
x6rnQVZZKDY+cIcb/SFyLfE7fFDl3TcN/GXNxK9D2xIgAIm4wD8FxxXAzpA8BwZH
ek2yEgNLQytpcViu2x72Av6v9bWsXN/wlQyO7NhNB4RuNUg+ilBRXoFiOuyn1x5k
ajcUURrjifv6LptFnanGcNH15uEfrKACqd8EpWEQJzJuwQOpMmJNPZ6cibL2jMsS
6J1IJCfCoHHIcWlF23Gt
=Jax4
-----END PGP SIGNATURE-----
More information about the Owncloud
mailing list