Details
-
Task
-
Resolution: Fixed
-
L3 - Default
-
None
-
None
Description
When using salts, instead of storing hash(password), an application stores hash(password + salt) in the database along with the salt (a random value per user). While this does not make the encryption of a single password stronger, it improves the overall encryption of the entire user base against so-called dictionary/rainbow table attacks: If an attacker has a precomputed set of hashes along with clear text passwords, and a Camunda user database with encrypted passwords, it is much more likely to compromise passwords when using no salts.
Related articles:
https://en.wikipedia.org/wiki/Salt_(cryptography)
Implementation:
- add SALT_ field to user table
- decide sensible length of salt
- ensure backwards compatibility with unsalted passwords