Make stronger authentication in cyphesis
Main problem with current cyphesis authentication implementation is that password is coming in cleartext to server.
Also some other minor problems:
- Format of string $1$xxx$xxx is like one crypt() uses but it's not crypt() algorithm, it's just plain md5().
- Byte-order is different from that other md5 functions returns.
All this can lead to security problems and bad interoperability.
Suggesting to implement stronger auth algorithm, like digest authentication, to fix cleartext problem and also fix these minor issues in it.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Currently Ember doesn't save any passwords, and one of the reasons for not doing that is that they need to be sent as cleartext, and I'd much rather store a hashed password (since users's often reuse their passwords). I'm not familiar with how cyphesis handles the passwords, but if anyone would want to take a closer look at it I'm more than willing to help out with the client part. //erik
