Freeciv-web password storage change

Web version of freeciv at play.freeciv.org
User avatar
AndreasR
Elite
Posts: 701
Joined: Thu May 02, 2013 10:26 pm
Location: Norway

Freeciv-web password storage change

Postby AndreasR » Sun Mar 26, 2017 7:22 pm

I have just updated the way Freeciv-web stores passwords, to a more secure method. If you have any problems logging in,
then please try clearing your browser cache and log in again, and report any problems you might have.
The change is that passwords are now hashed using SHA-512 instead of MD5.

edd
Posts: 14
Joined: Wed Jun 12, 2013 6:22 am

Re: Freeciv-web password storage change

Postby edd » Mon Mar 27, 2017 2:06 am

Hi, password hashing requires more than just using md5 or sha-512 hash function (user specific salt and a password hash that is cpu and memory hard). Just using SHA-512 is not good. A typical password solution could make use of sha-512, but would repeat it many times according to some particular algorithm.

In password storage terms you want something like pbkdf2 or bcrypt (these are the old but still adequate algorithms). For state of the art you'd look at http://password-hashing.net/ (I was hoping they would have linked to easy to read introductions to the subject, but it doesn't really look like it.

edd
Posts: 14
Joined: Wed Jun 12, 2013 6:22 am

Re: Freeciv-web password storage change

Postby edd » Mon Mar 27, 2017 2:20 am

Here's a simple test that is necessary for a minimal level of password security:

If two users have the same password, do you store the same derived key for them?

If the answer is yes, password storage is inadequate.

I will also get serious for a minute: If the answer to that question yes, your password database is a liability to you: if it leaks, user's passwords are in danger not just on your site but everywhere where a user might use the same password! Why is this your liability? Because it is negligence with personal information.

User avatar
AndreasR
Elite
Posts: 701
Joined: Thu May 02, 2013 10:26 pm
Location: Norway

Re: Freeciv-web password storage change

Postby AndreasR » Mon Mar 27, 2017 8:05 pm

edd wrote:Here's a simple test that is necessary for a minimal level of password security:

If two users have the same password, do you store the same derived key for them?


The answer to this is no. Freeciv-web uses org.apache.commons.codec.digest.Crypt to hash the passwords securely.
I found this article informative: https://crackstation.net/hashing-security.htm

edd
Posts: 14
Joined: Wed Jun 12, 2013 6:22 am

Re: Freeciv-web password storage change

Postby edd » Mon Mar 27, 2017 9:00 pm

That sounds good!

(Note: You implemented this after I pointed it out, maybe you are a big enough person to admit that? What kinds of errors we make in life doesn't matter, it's how we respond to them that matters. Fixing it is great.)