ChiliProject is not maintained anymore. Please be advised that there will be no more updates.

We do not recommend that you setup new ChiliProject instances and we urge all existing users to migrate their data to a maintained system, e.g. Redmine. We will provide a migration script later. In the meantime, you can use the instructions by Christian Daehn.

Introduce PBKDF2 password hashes (Feature #1123)

Added by Holger Just at 2012-08-21 09:54 am. Updated at 2012-08-21 09:54 am.

Status:Open Start date:2012-08-21
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:User accounts
Target version:-
Remote issue URL: Affected version:

Description

Currently, ChiliProject stores passwords hashed as SHA1(salt + SHA1(password)). This schema is not very safe towards brute force attacks, even more so when the whole database gets missing in action.

By introducing PBKDF2, we are able to store the passwords much more securely and are even able to later adjust the complexity factor when computers get faster again.

Gregor Schmidt started a plugin implementing this at Github. I'd like to pull this into the core when the following additional functionality is provided:

  • a way to migrate existing hashes to the new format "on-thy-fly", i.e. during user login when we have the clear-text password
  • a way to expire passwords to enforce renewal of the password or alternatively a way to migrate the password hashes without requiring the clear-text password.

Associated revisions

Revision 67e77581
Added by Jean-Philippe Lang at 2008-04-28 10:52 am

Translation updates (closes #1123, #1124):
  • Spanish (Gumer Coronel)
  • Norvegian (Kai Olav Fredriksen)

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1367 e93f8b46-1217-0410-a6f0-8f06a7374b81

History

Also available in: Atom PDF