safetybox icon indicating copy to clipboard operation
safetybox copied to clipboard

Published 20 hours ago verified publisher icon aforward

Bad Cryptography

Open azet opened this issue 9 years ago • 10 comments

Hi,

You're using bad crypto throughout. For example hashing with MD5 is not encrypting data. I'd suggest adding a big warning in the README file and taking a look into http://cacr.uwaterloo.ca/hac/ :)

No offense but people that might not look at the code will get very bad security out of this module.

azet avatar Jul 17 '15 08:07 azet

No offence. I clearly document that this library focuses on simplicity and not security. From the docs.

Safetybox a collection of security oriented functions

This is oriented towards individuals that store passwords directly in their code, or some other not-so-hard-to-find location

Please submit a PR with enhancements, it will be much appreciated.

aforward avatar Jul 17 '15 09:07 aforward

Neither in the documentation nor in the README I can find any mention that the security of this project is lacking? :)

The problem is that even for storing passwords salted MD5 is a very bad choice. These days most people use bcrypt or scrypt for password hashing.

azet avatar Jul 17 '15 10:07 azet

screen shot 2015-07-17 at 7 11 21 am screen shot 2015-07-17 at 7 11 28 am

aforward avatar Jul 17 '15 11:07 aforward

http://hexdocs.pm/safetybox/

aforward avatar Jul 17 '15 11:07 aforward

@aforward yes. I was directly referring to this paragraph in my last comment.

azet avatar Jul 17 '15 11:07 azet

Sorry, it is implied as this is geared towards individuals that are doing really insecure things (i.e. plain text passwords directly in the core code base), so it's a step above.

Note that they give security "oriented" functions, and the implicitness of the target audience implies the degree to which it is secure. I don't mention how secure, but as you pointed out, it's not (but it is better than the approach being taken by the target audience).

I hope to see a PR from you soon, so that we can update the docs to show how secure the functions now are.

aforward avatar Jul 17 '15 11:07 aforward

I'm not really an Erlang expert - thanks for your explanation.

As I see it there is a library that currently supports strong crypto for elixir: https://github.com/electricFeel/savoyr as well as Erlang built-in crypto routines which look promising http://www.erlang.org/doc/man/crypto.html

azet avatar Jul 17 '15 11:07 azet

I dabble in elixir without knowing much of anything about erlang (which is unforunate), and at the time the defacto the phoenix web framework process was to store the plain text text password in the configs -- hence this small project was born. Phoenix has since improved their out-of-the-box configurations and I haven't maintained this.

Here's an article I wrote about the possible use of the project as a step-up from plain text passwords http://a4word.com/articles/safetybox.php

The strong crypto link didn't work, can you repost.

aforward avatar Jul 17 '15 12:07 aforward

Does this work? https://github.com/electricFeel/savory

azet avatar Jul 17 '15 12:07 azet

Yes.

aforward avatar Jul 17 '15 12:07 aforward