[Owncloud] Salt

[Andreas Schneider]

On Friday 08 June 2012 11:55:56 Hendrik v. Raven wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 06/08/2012 11:40 AM, Frank Karlitschek wrote:
> > O.K. I will add an option in the config.php file to set a salt
> > which will be used to hash the passwords. This salt will be auto
> > generated during setup.
> 
> If you want a secure storage for the passwords you should use a
> hashing function which creates a new random salt for every user.
> Otherwise attacks with rainbow tables are still possible. A single
> salt for all users is better than no salt, but it's still bad.
> 
> Also a better  hashing algorithm than MD5 would be a good idea. MD5 is
> completely insecure for cryptographic reasons. Modern hashing
> algorithms like SHA2 with a length of 256+ should be used for modern
> software.
> 
> The crypt function of linux gives simple access to high quality crypto
> algorithms like salted SHA256 or SHA512. They are stored in the form
> $algorithmtype$salt$hash and are widely accepted to be secure. (see
> https://en.wikipedia.org/wiki/Crypt_(Unix) )

The phpass function which is used in ownCloud in the meantime looks like it 
solves the solution now.

It useses crypt with blowfish at the moment and is tuned to take 1ms to 10ms 
to generate the hash. So generating the rainbow table will probably take ages.

$2a$08$lh85qKaF6CVi.azfbThI4.qbLZK9vw0XaLHWr616JbH...

$2a means blowfish
$08 is the strength

So this looks pretty good now. You just should make sure that you change your 
password that the has is stored with crypt() now. If the password is stored as 
a simple hash it gets updated now.

Sorry I was wrong!


It looks good now thanks to Robin Appelman.