Password Hashing?

Got an idea? Missing something? Post your feature request here.

Moderator: moderators

Password Hashing?

Postby Kirk » Fri Mar 18, 2011 9:54 pm

I'd like to point out a flaw in the current Subsonic design... in the Subsonic database, user passwords are stored using hex encoding. While this is better than plaintext, it's very simple to convert the passwords in the database back to plaintext.

If someone were to gain access to my server who shouldn't have it - or if one of my trusted friends turned out to not be trustworthy - they could compromise any user account on my Subsonic server with a quick Google search and a copy\paste.

I recommend that one-way password hashing be implemented in the next version of Subsonic, replacing two-way encryption.
Image
User avatar
Kirk
 
Posts: 310
Joined: Tue Jun 08, 2010 5:45 pm
Location: Illinois, USA

Re: Password Hashing?

Postby ytechie » Tue Jan 03, 2012 7:44 am

I agree. The main reason this is important to me is that many people use the same password for many of their accounts on the internet. While I am not saying that this is a good practice, it can cause security issues not only if someone hacks in to your server, but if an administrator suddenly becomes curious. +1
User avatar
ytechie
 
Posts: 547
Joined: Sun Dec 12, 2010 5:05 am
Location: Manhattan, New York

Re: Password Hashing?

Postby xionic » Wed Jan 11, 2012 9:19 am

+1
xionic
 
Posts: 4
Joined: Wed Jan 11, 2012 9:01 am

Re: Password Hashing?

Postby fonsoy » Wed Jan 11, 2012 9:48 am

+1

This is not hard to implement while increasing the security quite a lot. My users use the same password everywhere.
fonsoy
 
Posts: 38
Joined: Mon Jan 10, 2011 12:07 pm

Re: Password Hashing?

Postby williamkirby » Wed Jan 25, 2012 10:51 pm

+1
williamkirby
 
Posts: 7
Joined: Tue Jan 24, 2012 3:04 pm

Re: Password Hashing?

Postby piethein » Wed Jan 25, 2012 10:56 pm

+1
piethein
 
Posts: 35
Joined: Fri Dec 03, 2010 5:58 pm

Re: Password Hashing?

Postby Tanner Williamson » Fri Jan 27, 2012 7:12 pm

Even better would be password hashing + salting. Salting impedes rainbow table access (multi-gigabyte databases people can pre-hash out passwords with, and thus have the original dictionary value plus it's equivalent hash). This article here details some good implementations of password schemes to include salting, so as to make hashing even more secure.

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html
Tanner Williamson https://www.tannerwilliamson.com/

Image
Tanner Williamson
 
Posts: 51
Joined: Mon Dec 14, 2009 7:30 am

Re: Password Hashing?

Postby text » Thu Feb 09, 2012 12:02 am

YES. WE NEED THIS.
text
 
Posts: 40
Joined: Tue Feb 07, 2012 7:34 am

Re: Password Hashing?

Postby jol » Wed Feb 15, 2012 9:45 pm

I would prefer to see the Subsonic user store being replaced by authentication against the local operating system (i.e. call su on *x or runas on Windows). For allmost all users remembering many - hopefully good - passwords and then changing them periodically is a pain, and reducing the number of passwords is helping the most. You can also think about mapping some authorizations/roles from OS to Subsonic.
Thanks, jol
Subsonic 4.7 running on Acer H340 with LDAP authentication / Windows Home Server 2011 - Android client (3.5)
jol
 
Posts: 52
Joined: Sat Jan 21, 2012 7:40 pm

Re: Password Hashing?

Postby Josh Hawley » Sat Apr 21, 2012 3:15 am

+1
Josh Hawley
 
Posts: 9
Joined: Wed Jan 12, 2011 10:14 pm

Re: Password Hashing?

Postby piethein » Mon Apr 23, 2012 6:30 pm

jol wrote:I would prefer to see the Subsonic user store being replaced by authentication against the local operating system (i.e. call su on *x or runas on Windows). For allmost all users remembering many - hopefully good - passwords and then changing them periodically is a pain, and reducing the number of passwords is helping the most. You can also think about mapping some authorizations/roles from OS to Subsonic.
Thanks, jol

You could use LDAP if you like, mapping authorizations would be a nice addon.

As would salting+hashing passwords in subsonic's standard uid/pw database be in any case
piethein
 
Posts: 35
Joined: Fri Dec 03, 2010 5:58 pm

Re: Password Hashing?

Postby jol » Mon Apr 23, 2012 8:26 pm

piethein wrote:You could use LDAP if you like
A Windows Home Server does not include Active Directory, and any other LDAP I am aware of will not integrate with Windows authentication, i.e. require double maintenance of users like Subsonic now. I was shortly considering to write a stripped down LDAP server that just does authentication against Windows, but LDAP is not all that trivial.
Subsonic 4.7 running on Acer H340 with LDAP authentication / Windows Home Server 2011 - Android client (3.5)
jol
 
Posts: 52
Joined: Sat Jan 21, 2012 7:40 pm

Re: Password Hashing?

Postby jol » Sun May 06, 2012 6:27 pm

I spent some time today looking whether I can add my own authentication mechanism - following my wish above I was planning to do basic authentication against an IIS site which in turn authenticates windows users - but it turned out to be a real challenge as Subsonic is still using acegisecurity rather than the newer versions of Spring security, which makes finding the correct documentation and sources more difficult, and also it looks like the newer version is easier to extend. And last but not least, it looks like the newer version supports salted hashed passwords out of the box.
I know it is on Sindre´s list, but line 595...
Best regards, jol
Subsonic 4.7 running on Acer H340 with LDAP authentication / Windows Home Server 2011 - Android client (3.5)
jol
 
Posts: 52
Joined: Sat Jan 21, 2012 7:40 pm

Re: Password Hashing?

Postby ytechie » Mon Jun 18, 2012 12:08 am

This needs to be bumped. I think that it is very important for security, and it doesn't seem too difficult to implement. So... Bump! :p
User avatar
ytechie
 
Posts: 547
Joined: Sun Dec 12, 2010 5:05 am
Location: Manhattan, New York

Re: Password Hashing?

Postby hakko » Fri Jun 22, 2012 8:11 pm

I just upgraded my MusicCabinet mod to use Spring Security and salted, hashed passwords. It wasn't overly complicated. I'd be happy to share the code with Sindre if he's interested.
MusicCabinet developer
hakko
 
Posts: 1416
Joined: Tue Apr 17, 2012 7:05 pm
Location: Sweden

Next

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 16 guests