[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Apr 5 07:09:22 CEST 2013 

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611

--- Comment #42 from Chris Hall <chrish at catalyst.net.nz> ---
Created attachment 17204
  -->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17204&action=edit
Removing external dependency for password salting

I have written a wrapper around /dev/urandom and /dev/random that will give
back a specified number of bytes salting purposes, however this can be used
anytime a pseudo-random number is needed within Koha.

/dev/urandom should be sufficient for password general salting, /dev/random is
more suited when higher entropy is needed (if we ever use server salts).

This patch removes the Crypt::Random::Source dependency that was mentioned in
the 'Updating dependencies' patch, it may be useful to squash this patch set
down but I did not do so as I didn't want to remove authorship details.


Testplan:
In current master (before applying this patch) create a new user.

Login to the koha mysql database (sudo koha-mysql instance) and run the
following query:
select userid, password from borrowers where userid='username';

The output should be something like:
patron         | vdpWxEZTtVVPhZSAq1NIMw        

Apply the patch series on this bug

Change the users password from within koha (for testing it is fine to change it
to the same password)

Run the above query again and observe the output:
patron           | $2a$08$U93rGVfvcV0YUNhJY.so3OkNL46bGBrIR3ugyskXLIJY5aMD8ENme

Notice that the new password is longer, but also that all passwords generated
by this patch series should begin with '$2a$08$'.

If we change the password again in the interface to the same password and run
out database query again, we should get a different value in the password field
(although it will still have the '$2a$08$' prefix).

Attempt to login as the user using the password you just set.


This patch series fails if any of the following occur:
  you cannot change a password
  you cannot login
  the new passwords (viewing them from within the database) do not start with
"$2a$08$"
  changing the password twice to the same value (say, "testing") results in the
same password value being stored in the database

Otherwise it is a pass.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list