Serendipity Forums

User and developer community

FAQFAQ   SearchSearch   MembersMembers  RegisterRegister 
User Control PanelUser Control Panel   LoginLogin
 

The Serendipity Handbook

You can now read the (german) handbook here: PDF - https://github.com/s9y/Book (LaTeX source).

Forum-Information

Before posting about errors, make sure that the answer cannot already be found in our FAQ or by searching this forum!
Posting is restricted to registered users (registering is free and simple!) due to recent spam attacks. When having trouble with this board, contact garvin(-at)s9y(-dot)org.

Board index Development google url storm

Discussion corner for Developers of Serendipity.
Post a reply
User avatar
Timbalu
Regular
 
Posts: 2542
Joined: Sun May 02, 2004 3:04 pm

google url storm

Postby Timbalu » Thu Jun 30, 2011 6:18 pm

To many tabs! ;-)

Is this something we should think about to be even more secure with Phpass or PBKDF2?
Do we use a large number of iterations to hash passwords?
(I found someone say iOS4 uses 10.000! :shock: )

http://www.heise.de/security/artikel/Pa ... view=print
http://www.openwall.com/phpass/
http ://www.openwall.com/articles/PHP-Users-Passwords
http://dev.myunv.com/articles/secure-pa ... th-phpass/
http://www.itnewb.com/v/Encrypting-Pass ... 2-Standard
Regards,
Ian
Top
User avatar
onli
Regular
 
Posts: 1044
Joined: Tue Sep 09, 2008 10:04 pm

Re: google url storm

Postby onli » Thu Jun 30, 2011 9:14 pm

At the moment, s9y is using phps sha1(), with the output of time() as salt.

Note that using something slower than that, like bcrypt, adds only security in the sense that if the database is stolen, the hash might be attacked and thus the password obtained.

Pro change:
* There are reports about fundamental issues in sha1.
* There are alternatives more expensive to crack.

Contra change:
* Which hash-algorithm should be the alternative? To guarantee the use of bcrypt, probably the best choice, php 5.3.2 is needed.
* We had quite some issues with upgrades when introducing sha1 instead of md5.

We probably should introduce iterations though, or try to use bcrypt when abailable..
Top
User avatar
Timbalu
Regular
 
Posts: 2542
Joined: Sun May 02, 2004 3:04 pm

Re: google url storm

Postby Timbalu » Fri Jul 01, 2011 9:16 am

onli wrote:We probably should introduce iterations though, or try to use bcrypt when abailable.

Yes, phpass has a fallback and PHP is heading to 5.4.
The article is about slowing down brute_force with a strong hash and many iterations to make it very expensive (by time and, last but not least, money), even in times having clouds, cuda, etc.
This is nothing to think about for 1.6, but in some of the next versions.
Regards,
Ian
Top
User avatar
onli
Regular
 
Posts: 1044
Joined: Tue Sep 09, 2008 10:04 pm

Re: google url storm

Postby onli » Fri Jul 01, 2011 12:22 pm

Yes, phpass has a fallback and PHP is heading to 5.4.

The last fallback of phpass seems to be md5, which is undesirable.
Top
User avatar
garvinhicking
Core Developer
 
Posts: 28944
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany

Re: google url storm

Postby garvinhicking » Fri Jul 01, 2011 1:35 pm

Hi!

One problem is also that if bcrypt is so expensive, currently s9y does a password check on every page request that is done. If it really takes 0.3 seconds or so to calcuate a single password, that would MASSIVELY impact the s9y pagespeed for someone being logged in....

Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Top
User avatar
onli
Regular
 
Posts: 1044
Joined: Tue Sep 09, 2008 10:04 pm

Re: google url storm

Postby onli » Fri Jul 01, 2011 3:39 pm

Uff. Why do we do that? Makes sense if we can't trust the session, but isn't the password stored in the session for the check?
Top
Post a reply

Return to Development

Who is online

Users browsing this forum: Google [Bot] and 1 guest

It is currently Sun May 19, 2013 5:53 pm

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Datenschutzerklärung