Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-6312

Use salts for password hashing

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 7.7.0, 7.7.0-alpha1
    • Component/s: engine
    • Labels:
      None

      Description

      When using salts, instead of storing hash(password), an application stores hash(password + salt) in the database along with the salt (a random value per user). While this does not make the encryption of a single password stronger, it improves the overall encryption of the entire user base against so-called dictionary/rainbow table attacks: If an attacker has a precomputed set of hashes along with clear text passwords, and a Camunda user database with encrypted passwords, it is much more likely to compromise passwords when using no salts.

      Related articles:
      https://en.wikipedia.org/wiki/Salt_(cryptography)

      Implementation:

      • add SALT_ field to user table
      • decide sensible length of salt
      • ensure backwards compatibility with unsalted passwords

        Attachments

          Activity

            People

            Assignee:
            thorben.lindhauer Thorben Lindhauer
            Reporter:
            thorben.lindhauer Thorben Lindhauer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: