Details

    • Type: Task
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.7.0, 7.7.0-alpha1
    • Component/s: engine
    • Labels:
      None

      Description

      When using salts, instead of storing hash(password), an application stores hash(password + salt) in the database along with the salt (a random value per user). While this does not make the encryption of a single password stronger, it improves the overall encryption of the entire user base against so-called dictionary/rainbow table attacks: If an attacker has a precomputed set of hashes along with clear text passwords, and a Camunda user database with encrypted passwords, it is much more likely to compromise passwords when using no salts.

      Related articles:
      https://en.wikipedia.org/wiki/Salt_(cryptography)

      Implementation:

      • add SALT_ field to user table
      • decide sensible length of salt
      • ensure backwards compatibility with unsalted passwords

        Activity

        Hide
        thorben.lindhauer Thorben Lindhauer added a comment -

        Review:

        • Base64EncodedSaltGenerator:
          • set method visibility to protected where possible
        • setSalt/getSalt should not be part of the User interface
        • SaltHashingTest:
          • remove all unused fields
          • Name the rule fields appropriately. They do not cache anything in this test
        • DeployUserWithoutSaltForPasswordHashingTest
          • must contain an assertion
        Show
        thorben.lindhauer Thorben Lindhauer added a comment - Review: Base64EncodedSaltGenerator : set method visibility to protected where possible setSalt / getSalt should not be part of the User interface SaltHashingTest : remove all unused fields Name the rule fields appropriately. They do not cache anything in this test DeployUserWithoutSaltForPasswordHashingTest must contain an assertion

          People

          • Assignee:
            thorben.lindhauer Thorben Lindhauer
            Reporter:
            thorben.lindhauer Thorben Lindhauer
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development