This site has been archived. To learn more about our current products Ibexa Content, Ibexa Experience, Ibexa Commerce head over to the Ibexa Developer Portal

eZ Community » Forums » Developer » loose password security in eZP
expandshrink

loose password security in eZP

loose password security in eZP

Monday 03 June 2013 1:44:17 pm - 3 replies

In the light of this articles:

http://techcrunch.com/2013/05/29/...cked-user-details-exposed-and-reset/

http://arstechnica.com/security/2...e-minced-meat-out-of-your-passwords/

I was wondering how secure are password stored in eZP... By looking at the eZUser::createHash() it doesn't seem there's much security: username as salt, and only one MD5 pass...

Also, there's no mechanism to use a custom hashing/crypt function which makes it impossible to tighten stored password security if someone want's to...

Are there any initiatives to enable a more strong password storing system?

Modified on Monday 03 June 2013 2:00:21 pm by Mavko Žmak - Žmale

Monday 03 June 2013 4:39:12 pm

Just create a custom login handler. In fact, I'd like someone come up with a stronger-security-login-handler.

Or: file a pull request to have, with the std login handler, more flexible pwd hash generators - in ezpub-kernel-legacy

Tuesday 04 June 2013 9:54:57 am

Well, if your database is in someone else's hands it's too late anyway no matter what other measures are in place.

Of course using [UserSettings]HashType=md5_site with a random salt for [UserSettings]SiteName is slightly better than using md5_user - but if someone has your database, chances are they can also get to your filesystem and access your salt.

 

Tuesday 04 June 2013 5:27:45 pm

I agree with Steven.

Move SSH and MySQL off the default ports.  Limit remote connections into MySQL to authorized servers only (or none).  Enforce strong passwords and expire them, in both the application (if possible) and on the server.

Use a web application firewall like mod_security.

Monitor the server for unauthorized access.

Require a lower privilege login prior to allowing root logins.

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from