serious-security-how-to-store-your-users-passwords-safely

Topics: Core
Aug 5, 2014 at 9:04 AM
Edited Aug 5, 2014 at 9:04 AM
Hello I am wondering how far Orchard goes regarding this article:
http://nakedsecurity.sophos.com/2013/11/20/serious-security-how-to-store-your-users-passwords-safely/

As I heared it uses ASP.NEt Identity: http://www.asp.net/identity

is this true?

Thank you in advance for a answer related to the advices in the nakedsecurity article.
Developer
Aug 5, 2014 at 10:45 AM
Orchard stores passwords hashed and salted, which is a widely used practice concerned reasonably safe. But: http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html
Aug 6, 2014 at 7:56 AM
Thank you!
Aug 7, 2014 at 1:02 PM
Edited Aug 7, 2014 at 1:33 PM
I read nearly the entire article. Unfortunatley your answer does not provide any details about what algorithm is used. The article talks for example about PBKDF2.

haha. Nice Quote in the end of the article:
"There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.
This does indeed appear to be the case and unfortunately SHA is now firmly in the former category."