Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#1641 closed enhancement (fixed)

Use bcrypt for storing passwords instead of MD5

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: critical Milestone: BASE 3.0
Component: core Version:
Keywords: Cc:

Description (last modified by Nicklas Nordborg)

This ticket replaces #1640. See http://codahale.com/how-to-safely-store-a-password/ for some background information.

We'll need to remove the 'Encrypt password' feature of the web client. We recommend that HTTPS is used if protection is needed.

To be able to upgrade an existing server we should store bcrypt(MD5(password)). Since we already have the MD5(password) stored the upgrade is simple.

Change History (5)

comment:1 Changed 10 years ago by Nicklas Nordborg

Description: modified (diff)

comment:2 Changed 10 years ago by Nicklas Nordborg

Owner: changed from everyone to Nicklas Nordborg
Status: newassigned

comment:3 Changed 10 years ago by Nicklas Nordborg

(In [5827]) References #1641: Use bcrypt for storing passwords instead of MD5

This is now implemented in the core and web client and seems to be working good. The update script has not yet been fixed so upgrading will not work.

comment:4 Changed 10 years ago by Nicklas Nordborg

Resolution: fixed
Status: assignedclosed

(In [5828]) Fixes #1641: Use bcrypt for storing passwords instead of MD5

This upgrade script should now be working.

comment:5 Changed 10 years ago by Nicklas Nordborg

(In [5829]) References #1641: Use bcrypt for storing passwords instead of MD5

Fixed javadoc.

Note: See TracTickets for help on using tickets.