Servoy Forum

[guerry]

Hi,

I'm new to servoy, and have trawled the forums looking for an answer to the following question. I saw from this post (http://forum.servoy.com/viewtopic.php?f=5&t=12472) that Servoy stores passwords using a one-way, irreversible hash. Is the hash algorithm a known, standard published one, such as the salted password approaches used on Unix/Linux?

I am contemplating using an external authentication scheme, but want to be able to migrate existing users and passwords to the external system. Therefore, I need to be able to carry the existing password encryption scheme with me (just one among several options).

Much thanks in advance.

[jcompagner]

this is the code that creates the hash of the passwords:

Code: Select all

public static String calculateMD5HashBase64(String password)
   {
      String result = null;
      try
      {
         MessageDigest md = MessageDigest.getInstance("MD5"); //$NON-NLS-1$
         byte[] hash = md.digest(password.getBytes("UTF-8")); //$NON-NLS-1$
         result = encodeBASE64(hash).trim();
      }
      catch (Exception e)
      {
         Debug.error(e);
      }
      return result;
   }


so it is MD5 and then base64 encoded.

[guerry]

Excellent! Much thanks!

[ryanparrish]

Any reason you have chosen not to salt the hash?

It's common practice to store password hashes with something like... hash = md5 ( ( password + salt ) + salt )

[ryanparrish]

Any update to how this is done? plain MD5 without a salt has long been considered broken for password hashing.


http://www.kb.cert.org/vuls/id/836068
http://en.wikipedia.org/wiki/Rainbow_table
http://www.freerainbowtables.com/

[jcompagner]

we can't just change it.. That would break all existing solutions that uses existing users/password combinations.

Please create a case for this if you want to use MD5+salt or SHA, i guess this must then be a system setting somewhere where you can switch..

[ryanparrish]

I noticed revs 5807 & 5823 in the trunk, and from the commit message and corresponding code they seem to address the issue of storing passwords as MD5 hashes. The reference a ticket (SVY-319) that is not publicly accessible, so can you confirm that this will be upcoming in servoy 6.1?

https://www.servoyforge.net/projects/se ... sions/5807
https://www.servoyforge.net/projects/se ... sions/5823

[jcompagner]

yes from now on new passwords will be stored by a different hashing algo: http://en.wikipedia.org/wiki/PBKDF2

[Harjo]

Johan,

doesn't this break existing solutions as you mentioned in in this topic before?

[jcompagner]

no because we store in the database which kind it is
so by default we expect the old MD5
but if we see a new entry (having a specific prefix) we know it is the new way.
And all new passwords (when you create a new user/pw or update an existing pw) the new way is used and the hash has the new prefix