Question about Servoy security

guerry · November 9, 2010, 3:13pm

Hi,

I’m new to servoy, and have trawled the forums looking for an answer to the following question. I saw from this post (http://forum.servoy.com/viewtopic.php?f=5&t=12472) that Servoy stores passwords using a one-way, irreversible hash. Is the hash algorithm a known, standard published one, such as the salted password approaches used on Unix/Linux?

I am contemplating using an external authentication scheme, but want to be able to migrate existing users and passwords to the external system. Therefore, I need to be able to carry the existing password encryption scheme with me (just one among several options).

Much thanks in advance.

jcompagner · November 11, 2010, 11:40am

this is the code that creates the hash of the passwords:

public static String calculateMD5HashBase64(String password)
	{
		String result = null;
		try
		{
			MessageDigest md = MessageDigest.getInstance("MD5"); //$NON-NLS-1$
			byte[] hash = md.digest(password.getBytes("UTF-8")); //$NON-NLS-1$
			result = encodeBASE64(hash).trim();
		}
		catch (Exception e)
		{
			Debug.error(e);
		}
		return result;
	}

so it is MD5 and then base64 encoded.

guerry · November 11, 2010, 5:07pm

Excellent! Much thanks!

ryanparrish · November 12, 2010, 3:27pm

Any reason you have chosen not to salt the hash?

It’s common practice to store password hashes with something like… hash = md5 ( ( password + salt ) + salt )

ryanparrish · June 29, 2011, 2:17pm

Any update to how this is done? plain MD5 without a salt has long been considered broken for password hashing.

http://www.kb.cert.org/vuls/id/836068
http://en.wikipedia.org/wiki/Rainbow_table
http://www.freerainbowtables.com/

jcompagner · June 29, 2011, 2:26pm

we can’t just change it… That would break all existing solutions that uses existing users/password combinations.

Please create a case for this if you want to use MD5+salt or SHA, i guess this must then be a system setting somewhere where you can switch…

ryanparrish · June 12, 2012, 1:15pm

I noticed revs 5807 & 5823 in the trunk, and from the commit message and corresponding code they seem to address the issue of storing passwords as MD5 hashes. The reference a ticket (SVY-319) that is not publicly accessible, so can you confirm that this will be upcoming in servoy 6.1?

https://www.servoyforge.net/projects/se … sions/5807
https://www.servoyforge.net/projects/se … sions/5823

jcompagner · June 19, 2012, 12:14pm

yes from now on new passwords will be stored by a different hashing algo: http://en.wikipedia.org/wiki/PBKDF2

Harjo · June 19, 2012, 12:51pm

Johan,

doesn’t this break existing solutions as you mentioned in in this topic before?

jcompagner · June 19, 2012, 12:57pm

no because we store in the database which kind it is
so by default we expect the old MD5
but if we see a new entry (having a specific prefix) we know it is the new way.
And all new passwords (when you create a new user/pw or update an existing pw) the new way is used and the hash has the new prefix

Topic		Replies	Views
Framework Security Classic Servoy	5	55	September 27, 2013
Decrypt Servoy User password stored in servoy_repository db Classic Servoy	6	5099	September 25, 2017
utils.stringPBKDF2Hash() Classic Servoy	13	10824	November 27, 2013
utils.stringMD5HashBase64() , why base64 the result? Classic Servoy	2	1867	August 11, 2008
Password encryption: reversible or irreversible? Classic Servoy	2	3210	May 25, 2009

Question about Servoy security

Related topics