Make stronger authentication in cyphesis

Registered by Alexey Torkhov

Main problem with current cyphesis authentication implementation is that password is coming in cleartext to server.
Also some other minor problems:
- Format of string $1$xxx$xxx is like one crypt() uses but it's not crypt() algorithm, it's just plain md5().
- Byte-order is different from that other md5 functions returns.
All this can lead to security problems and bad interoperability.

Suggesting to implement stronger auth algorithm, like digest authentication, to fix cleartext problem and also fix these minor issues in it.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

Currently Ember doesn't save any passwords, and one of the reasons for not doing that is that they need to be sent as cleartext, and I'd much rather store a hashed password (since users's often reuse their passwords). I'm not familiar with how cyphesis handles the passwords, but if anyone would want to take a closer look at it I'm more than willing to help out with the client part. //erik

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.