#1641 closed enhancement (fixed)
Use bcrypt for storing passwords instead of MD5
Reported by: | Nicklas Nordborg | Owned by: | Nicklas Nordborg |
---|---|---|---|
Priority: | critical | Milestone: | BASE 3.0 |
Component: | core | Version: | |
Keywords: | Cc: |
Description (last modified by )
This ticket replaces #1640. See http://codahale.com/how-to-safely-store-a-password/ for some background information.
We'll need to remove the 'Encrypt password' feature of the web client. We recommend that HTTPS is used if protection is needed.
To be able to upgrade an existing server we should store bcrypt(MD5(password))
. Since we already have the MD5(password)
stored the upgrade is simple.
Change History (5)
comment:1 Changed 12 years ago by
Description: | modified (diff) |
---|
comment:2 Changed 12 years ago by
Owner: | changed from everyone to Nicklas Nordborg |
---|---|
Status: | new → assigned |
comment:3 Changed 12 years ago by
comment:4 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
comment:5 Changed 12 years ago by
Note: See
TracTickets for help on using
tickets.
(In [5827]) References #1641: Use bcrypt for storing passwords instead of MD5
This is now implemented in the core and web client and seems to be working good. The update script has not yet been fixed so upgrading will not work.