Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Broken password store (HMAC-SHA256, per-user salts) #2

Open
lvh opened this issue Jan 19, 2014 · 0 comments
Open

Broken password store (HMAC-SHA256, per-user salts) #2

lvh opened this issue Jan 19, 2014 · 0 comments
Labels
enhancement

Comments

@lvh
Copy link
Member

lvh commented Jan 19, 2014

So, basically, prove that per-user salts and using HMAC instead of whatever still doesn't fix anything.

Example text:

A company's intranet login (accessible at hmac-password-store-intranet) was recently compromised with a SQL injection attack. They have fixed the issue since then, but the breach resulted in a complete user table dump. You can access it at hmac-password-store-csv-dump.

Fortunately, they didn't store the passwords in plaintext. It even appeared to tick all the right boxes.

  • they used a cryptographically secure hash function (SHA-256).
  • they used a per-user salt.
  • they used HMAC to mix the salt with the password (with the salt as the key).

Log in as the admin user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lvh