friendup icon indicating copy to clipboard operation
friendup copied to clipboard

Published 20 hours ago verified publisher icon FriendUPCloud

Passwords are insecure

Open bartgrantham opened this issue 6 years ago • 2 comments

You shouldn't hash passwords with SHA-256, and if you insist on hashing with SHA-256 with a salt you shouldn't publish the salt. The salt should be random per installation and treated as sensitive data like an encryption key.

Best practice is to use bcrypt (best) or PBKDF2 (a close second) to make generation of rainbow tables impractical. Here's a pretty good primer on password management.

bartgrantham avatar Aug 08 '17 16:08 bartgrantham

Sorry for being a bit late to reply. And right you are. As you may know from looking at the code, we support auth modules, and we have one that will replace the default login scheme. We will push this to the repository in v1.0.1. It uses a keypair for the authentication and is much more secure.

Thank you for the feedback!

titlestad avatar Aug 11 '17 11:08 titlestad

  1. Have to have this folder in the login module

https://github.com/FriendUPCloud/friendup/tree/master/modules/login/secure

  1. Update this to /build/cfg/cfg.ini

[LoginModules]

use = php.authmod modules = secure,fcdb

  1. Create file in /build/cfg/ called secure.ini and put this data in

[Module]

login = modules/login/secure/secure.php;

  1. The login will then show "Secure Login" and it's using a RSA 1024 bit privatekey generated based on login credentials in javascript memory to authenticate with the server where the publickey is stored, no password between client and server, tunnel encrypted + ajax transfer.

AceZeroX avatar Dec 20 '19 10:12 AceZeroX