#1461 closed defect (duplicate)
User passwords stored/emailed in plain text(!?)
| Reported by: | throwawayaccount | Owned by: | |
|---|---|---|---|
| Priority: | critical | Milestone: | |
| Component: | General | Version: | 1.1 |
| Keywords: | password hash plain text bcrypt | Cc: |
Description
Hi,
This week I registered for a conference in DESY, and upon creation of my account I was sent my password. I emailed someone as DESY and he informed me that this is how Indico systems work. I thought perhaps that his installation was an old one and that newer versions might use password hashing, but looking at the source code I can't see an obvious implementation of this (local authentication uses bcrypt, but I don't know whether that covers user accounts).
Passwords must be hashed with bcrypt as a minimum before they're stored in a database, with unique salts. md5 and sha hashes are outdated and insecure.
Many users will use the same password across multiple accounts, and if an attacker were to break into the database or intercept an email containing the password, it would be trivial for them to access the indico account and possibly others elsewhere on the web. Furthermore, the password could potentially be added to wordlists that attackers could use to run dictionary attacks on other stolen passwords.
The guy I emailed at DESY informed me that indico user accounts are very limited in their rights. This doesn't matter. Any foothold an attacker can get on a system is an advantage you cannot afford to give them. Once inside they may obtain information on either the victim or their colleagues that they could then use to take control of other accounts or systems, or simply steal someone's identity.
I seek either reassurance that bcrypt is indeed being used on user passwords, or that it will be implemented soon.
Best regards,
Matt
P.S. I understand there will probably be issues with backwards-compatibility if newer versions expect passwords to be hashed, but this really is important and I would be bothering to write this if I didn't think it was.
Change History (4)
comment:1 Changed 21 months ago by jmonnich
- Resolution set to fixed
- Status changed from new to closed
comment:2 Changed 21 months ago by jmonnich
- Resolution fixed deleted
- Status changed from closed to new
comment:3 Changed 21 months ago by jmonnich
- Resolution set to duplicate
- Status changed from new to closed
I completely agree that storing passwords in plaintext or sending them out in plaintext is not acceptable. And for exactly this reason we finally changed this in version 1.2 so they are encrypted using bcrypt and when resetting a password a random token is emailed to the user.