webtag icon indicating copy to clipboard operation
webtag copied to clipboard

Published 20 hours ago verified publisher icon vasanthv

Insecure password storage

Open rieck-srlabs opened this issue 11 months ago • 4 comments

Issue Description

Webtag uses the following code (called by getValidPassword) to store and hash passwords:

const hashString = (str) => {
	return crypto.createHash("sha256", config.SECRET).update(str).digest("hex");
};

I guess this is supposed to include a secret / salt (config.SECRET) in the hash computation. Node's crypto.createHash however does not take a salt. The current code just performs a single vanilla SHA-256 computation:

Notice that the output using a "salt" (supersecret) and using no salt is identical:

> password = 'hunter2'
'hunter2'
> crypto.createHash("sha256", "supersecret").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'
> crypto.createHash("sha256").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'

Passwords are stored unsalted, hashed just once with SHA-256.

Remediation

Follow proper guidance here and use Argon or at least PBKDF2 with many iterations.

rieck-srlabs avatar Mar 22 '24 16:03 rieck-srlabs