nebula icon indicating copy to clipboard operation
nebula copied to clipboard

Published 20 hours ago verified publisher icon vesoft-inc

Use a more secure cryptographic hashing function for password instead of the current MD5

Open allanbenW opened this issue 1 year ago • 3 comments

Introduction

NebulaGraph (as of v3.6.0) uses MD5 for password hashing https://github.com/vesoft-inc/nebula/blob/de9b3ed800a6627d9845e9289b6bbc5b6faf460a/src/graph/executor/admin/CreateUserExecutor.cpp#L24 However, MD5 is known to have a broken collision resistance and is vulnerable to collision attacks. There are also published theoretical attacks against its preimage resistance.

Contents

Use a cryptographically secure hashing function, such as bcrypt

Related work

allanbenW avatar Nov 22 '23 19:11 allanbenW

Welcome @allanbenW to the community and thanks for pointing this out!

@dutor @MuYiYong

wey-gu avatar Nov 23 '23 01:11 wey-gu

Hi team. Just wondering if there's any plan addressing this security concern soon? maybe next (few) minor/major release?

allanbenW avatar Apr 02 '24 18:04 allanbenW

bump again

apologize for ping, just trying to get some attention @wey-gu @dutor

this is a security concern flagged by our security team, and it's blocking our adoption of this otherwise amazing solution

allanbenW avatar Apr 17 '24 15:04 allanbenW