Subsonic Forum

[Kirk]

I'd like to point out a flaw in the current Subsonic design... in the Subsonic database, user passwords are stored using hex encoding. While this is better than plaintext, it's very simple to convert the passwords in the database back to plaintext.

If someone were to gain access to my server who shouldn't have it - or if one of my trusted friends turned out to not be trustworthy - they could compromise any user account on my Subsonic server with a quick Google search and a copy\paste.

I recommend that one-way password hashing be implemented in the next version of Subsonic, replacing two-way encryption.

[ytechie]

I agree. The main reason this is important to me is that many people use the same password for many of their accounts on the internet. While I am not saying that this is a good practice, it can cause security issues not only if someone hacks in to your server, but if an administrator suddenly becomes curious. +1

[xionic]

+1

[fonsoy]

+1

This is not hard to implement while increasing the security quite a lot. My users use the same password everywhere.

[williamkirby]

+1

[piethein]

+1

[Tanner Williamson]

Even better would be password hashing + salting. Salting impedes rainbow table access (multi-gigabyte databases people can pre-hash out passwords with, and thus have the original dictionary value plus it's equivalent hash). This article here details some good implementations of password schemes to include salting, so as to make hashing even more secure.

http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html

[text]

YES. WE NEED THIS.

[jol]

I would prefer to see the Subsonic user store being replaced by authentication against the local operating system (i.e. call su on *x or runas on Windows). For allmost all users remembering many - hopefully good - passwords and then changing them periodically is a pain, and reducing the number of passwords is helping the most. You can also think about mapping some authorizations/roles from OS to Subsonic.
Thanks, jol

[Josh Hawley]

+1

[piethein]

I would prefer to see the Subsonic user store being replaced by authentication against the local operating system (i.e. call su on *x or runas on Windows). For allmost all users remembering many - hopefully good - passwords and then changing them periodically is a pain, and reducing the number of passwords is helping the most. You can also think about mapping some authorizations/roles from OS to Subsonic.
Thanks, jol

You could use LDAP if you like, mapping authorizations would be a nice addon.

As would salting+hashing passwords in subsonic's standard uid/pw database be in any case

[jol]

You could use LDAP if you like

A Windows Home Server does not include Active Directory, and any other LDAP I am aware of will not integrate with Windows authentication, i.e. require double maintenance of users like Subsonic now. I was shortly considering to write a stripped down LDAP server that just does authentication against Windows, but LDAP is not all that trivial.

[jol]

I spent some time today looking whether I can add my own authentication mechanism - following my wish above I was planning to do basic authentication against an IIS site which in turn authenticates windows users - but it turned out to be a real challenge as Subsonic is still using acegisecurity rather than the newer versions of Spring security, which makes finding the correct documentation and sources more difficult, and also it looks like the newer version is easier to extend. And last but not least, it looks like the newer version supports salted hashed passwords out of the box.
I know it is on Sindre´s list, but line 595...
Best regards, jol

[ytechie]

This needs to be bumped. I think that it is very important for security, and it doesn't seem too difficult to implement. So... Bump! :p

[hakko]

I just upgraded my MusicCabinet mod to use Spring Security and salted, hashed passwords. It wasn't overly complicated. I'd be happy to share the code with Sindre if he's interested.