-
Type:
Task
-
Resolution: Fixed
-
Priority:
L3 - Default
-
Affects Version/s: None
-
Component/s: engine
-
None
When using salts, instead of storing hash(password), an application stores hash(password + salt) in the database along with the salt (a random value per user). While this does not make the encryption of a single password stronger, it improves the overall encryption of the entire user base against so-called dictionary/rainbow table attacks: If an attacker has a precomputed set of hashes along with clear text passwords, and a Camunda user database with encrypted passwords, it is much more likely to compromise passwords when using no salts.
Related articles:
https://en.wikipedia.org/wiki/Salt_(cryptography)
Implementation:
- add SALT_ field to user table
- decide sensible length of salt
- ensure backwards compatibility with unsalted passwords