[Koha-bugs] [Bug 9611] Changing the password hashing algorithm from MD5 to more secure Bcrypt
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Apr 5 07:09:22 CEST 2013
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9611
--- Comment #42 from Chris Hall <chrish at catalyst.net.nz> ---
Created attachment 17204
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17204&action=edit
Removing external dependency for password salting
I have written a wrapper around /dev/urandom and /dev/random that will give
back a specified number of bytes salting purposes, however this can be used
anytime a pseudo-random number is needed within Koha.
/dev/urandom should be sufficient for password general salting, /dev/random is
more suited when higher entropy is needed (if we ever use server salts).
This patch removes the Crypt::Random::Source dependency that was mentioned in
the 'Updating dependencies' patch, it may be useful to squash this patch set
down but I did not do so as I didn't want to remove authorship details.
Testplan:
In current master (before applying this patch) create a new user.
Login to the koha mysql database (sudo koha-mysql instance) and run the
following query:
select userid, password from borrowers where userid='username';
The output should be something like:
patron | vdpWxEZTtVVPhZSAq1NIMw
Apply the patch series on this bug
Change the users password from within koha (for testing it is fine to change it
to the same password)
Run the above query again and observe the output:
patron | $2a$08$U93rGVfvcV0YUNhJY.so3OkNL46bGBrIR3ugyskXLIJY5aMD8ENme
Notice that the new password is longer, but also that all passwords generated
by this patch series should begin with '$2a$08$'.
If we change the password again in the interface to the same password and run
out database query again, we should get a different value in the password field
(although it will still have the '$2a$08$' prefix).
Attempt to login as the user using the password you just set.
This patch series fails if any of the following occur:
you cannot change a password
you cannot login
the new passwords (viewing them from within the database) do not start with
"$2a$08$"
changing the password twice to the same value (say, "testing") results in the
same password value being stored in the database
Otherwise it is a pass.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list