Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move to stronger password hash #2353

Closed
TheAspens opened this issue Feb 16, 2018 · 6 comments
Closed

Move to stronger password hash #2353

TheAspens opened this issue Feb 16, 2018 · 6 comments
Assignees
@TheAspens
Labels
E: 1 week

Comments

@TheAspens
Copy link
Member

BOINC currently stores passwords using a salted md5 hash. This is no longer considered secure. Please review the design at https://boinc.berkeley.edu/trac/wiki/PasswordHash for a proposal to change this to using an updated password hash.
@TheAspens TheAspens self-assigned this Feb 16, 2018
@nicolas17
Copy link
Contributor

MD5 is bad because of the speed hashes can be brute-forced by modern hardware. But currently, BOINC password security is not MD5-level; it's plaintext-level. The client sends md5(passwd+email_addr) to authenticate, and the server stores md5(passwd+email_addr) in the database. If the database is compromised, the attacker gets the hashes and can use them to authenticate directly (on any BOINC project where the user used the same email and password!). There is no need to brute-force anything. The hash is the password.

If this proposal is implemented, this problem will be fixed. The client will send md5(p+e) and the database will store bcrypt(md5(p+e)) so now the attacker needs to brute-force the extremely hard bcrypt.

However, that's just for the password. Overall security is still plaintext-level. The client's normal requests authenticate with the "account key" or "authenticator", which is stored directly in the database. If the database is compromised, the attacker gets the account key and can do RPC requests or login to the project website with it. To make things worse, unlike the password, there is no way for a user to change the authentication key.

So I approve of this change, but it's not enough to fix BOINC auth security.

@brevilo
Copy link
Contributor

brevilo commented Feb 19, 2018

I fully agree Nicolas.

@TheAspens TheAspens mentioned this issue Feb 21, 2018
Open
@TheAspens
Copy link
Member Author

@nicolas17 and @brevilo - I agree completely with what you were saying. I have created issue #2371 for the issues around the "account key" or "authenticator", however, I won't be able to work on it at the moment so if someone else could take up the effort that would be great.

@TheAspens
Copy link
Member Author

Does anyone else have feedback on this item (@davidpanderson)? Otherwise I plan to start on this next week.

@TheAspens TheAspens mentioned this issue Mar 8, 2018
Merged
@brevilo
Copy link
Contributor

brevilo commented May 29, 2018
edited
Loading

I guess this can be closed, right?

@davidpanderson
Copy link
Contributor

yup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TheAspens TheAspens

Labels
E: 1 week
Projects
Website and Drupal
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nicolas17 @brevilo @davidpanderson @AenBleidd @TheAspens