Password Hashing

Topics: Core
Jun 15, 2012 at 11:44 PM
Edited Jun 16, 2012 at 1:31 AM

With recent attention on attacks on password hashes (linkedin - I'm looking at you), I decided to look at how hashed passwords are stored in Orchard. I made a few changes to Orchard.Users/Services/MembershipService.cs to support RFC2898 (PBKDF2) with 10000 iterations and a 64bit salt.

This code also encrypts the salt value using the machine key (_encryptionService), so a db breach that got the Orchard_Users_UserPartRecord table would also need to get the machinekey from the app server to easily attack the hashes.

This change still supports SHA1 password hashes, but the first time someone logs in with a SHA1 password it gets upgrade to PBKDF2. The new algorithm is also used for all new users and anytime someone changes a password.

 

<removed the code so no one would be tempted to use it>

I submitted a pull request with the changes suggested.

Coordinator
Jun 15, 2012 at 11:56 PM

Sounds nice. Do you want to submit a pull request for this?

Coordinator
Jun 15, 2012 at 11:59 PM

First, and just to be clear for those reading the post, Orchard is already safe from this kind of hack. Even if a hacker gets the Orchard you can feel very safe. 

However, what you are trying to do by automatically migrating to PBKDF2 is a very nice addition because it's even safer. For instance the nuget.org gallery is using the same technique, when accounts get migrated from the previous one based on Orchard.

I would be glad to include this, though I think, and it has been validated by our security expert at MS that you don't need to encrypt the hash, and using 1000 iterations and 128 bit salt is very fine.

Would you like to make those changes and make a fork so I can include it ?

Jun 16, 2012 at 12:10 AM

I'll make a fork and submit a pull request.