|Anonymous | Login | Signup for a new account||2021-01-15 07:18 PST|
|Main | My View | View Issues | Change Log | Roadmap | Summary | My Account|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0006046||opensim||[GRID] User Service||public||2012-06-09 16:52||2019-02-25 07:33|
|Platform||Operating System||Operating System Version|
|Product Version||master (dev code)|
|Target Version||Fixed in Version|
|Summary||0006046: seamless migration of password hash & salt from md5 to sha-512|
|Description||Decided to see if it was possible to seamlessly migrate from md5 salting to sha-512 salting. Works as expected, although the attached patch should be considered incomplete as I'm unfamiliar with the MSSQL/SQLITE syntax for altering db field lengths.|
I'm not a security expert by any means, but I'm led to believe sha-512 is considered more secure than md5.
Downside to this change is it'll break any software that directly reads the authentication table on the assumption it's an md5 hash (e.g. any front ends that don't check logins via a c# module)
|Tags||No tags attached.|
|Git Revision or version number||8a8755605587ca321b950d108c7bea92c8e330b7|
|Run Mode||Standalone (1 Region)|
|Environment||.NET / Windows64|
|Attached Files||SHA512-Auth.patch [^] (5,806 bytes) 2012-06-09 16:52 [Show Content]|
I don't see a need for this patch. Neither the salt nor the salted hash are ever communicated to clients, so they don't present a target for cracking. The only reason passwords are salted at all is he case where the entire database is compromised. Although md5 has been broken for some cases, the probability of breaking the salted hashes algorithmically is negligibly small.
The over-the-wire password sent by the client is sent as a simple md5 hash and this is where the real issue lies. If this password can be intercepted, algorithmic reversal of digesting and/or brute forcing can be attempted. However, this is something that is under client control and one really should not trust grids that don't offer a https:// loginuri.
Im my opinion this patch creates needless hardship for 3rd party modules; needless because there is no measurable gain in security.
-1 as a mandatory change for everyone
I would consider the patch if it were supplied as an optional function in an alternative authentication module for grids to migrate to if they want to, but not as changes against the main module.
|2012-06-09 16:52||SignpostMarv||New Issue|
|2012-06-09 16:52||SignpostMarv||File Added: SHA512-Auth.patch|
|2012-06-10 06:35||melanie||Note Added: 0021642|
|2019-02-25 07:33||tampa||Status||new => patch feedback|
|Copyright © 2000 - 2012 MantisBT Group|