Comments (7)
waterkip
commented on July 20, 2024
1
No, I'm working on this. I want to use Argon2 and use some OWASP recommendations to store passwords. I reverted the change earlier this week to use bcrypt again,
from act.
HaraldJoerg
commented on July 20, 2024
As far as I found in the records, the change from MD5 to BCRYPT was done in 2011 (853dfbe). The current handling of the salt in this branch is broken. Are you still working on this or should I put it on my todo list?
from act.
vanHoesel
commented on July 20, 2024
I think it would be great to just only have changes related to get an easy to install and runnable PSGI based version.
Any other improvements and and less important issues that are applicable for legacy and psgi would be needed to be postponed and kept in sync
from act.
HaraldJoerg
commented on July 20, 2024
Fixing this can be considered as part of the "easy to install and runnable PSGI based version". Right now there are two creepy (=undocumented, untested, and insecure) parameters which must be set in the global act.ini.
The algorithm doesn't bother me too much, in my opinion Bcrypt is good enough for the risk profile of a conference site. It's the salt handling which is broken. As an easy intermediate I'll create a fix which derives the salt from the login name. The change is easy, local and doesn't need an extra column in the users table for a secure random salt (with all the accompanying changes for DB init and migration).
Legacy, by the way, seems to use MD5 without a salt. So, no bonus for security, but also no penalty for bogus configuration values.
from act.
waterkip
commented on July 20, 2024
I think I fixed it, could you check @HaraldJoerg ?
I didn't use Argon2 yet, as the implementation cannot be used with a default Authen::Passphrase instance, so I stayed at bcrypt.
from act.
HaraldJoerg
commented on July 20, 2024
Looks good!
One remarks, though:
You are still referencing the bcrypt cost parameter:
cost => $Config->bcrypt_cost // 8,
This means that if you don't have it defined in your act.ini, then every request will throw out a warning - that's the way AppConfig and Act::Config work. I suggest to just drop that parameter and stick with a constant value of 8. I doubt that whoever runs an Act site will want to delve sufficiently deep into the crypto stuff that she can make an informed decision about value... and it's easy to mess up things if you change the value in a conference act.ini.
from act.
waterkip
commented on July 20, 2024
Cool! Fixed that.
I'm closing this one due to your "All OK" message :)
from act.
Related Issues (20)
- Create default configuration so one can start working on Act on a first docker start HOT 1
- Create a mail container that sends e-mail so we don't have multiple services running in one docker container HOT 1
- Create Dockerfile that just works HOT 1
- Create docker-compose.yml for instant gratitifaction HOT 2
- Create proper readme for developers and users so they can act accordingly HOT 1
- Create seperate database for the wiki HOT 3
- Change directory layout for conferences HOT 5
- PSGI or not (which branch becomes leading master or PSGI) HOT 16
- Where to store photo's HOT 5
- Need database dump of a wiki database HOT 2
- Serving CSS and other static files HOT 2
- Publish image to a registry HOT 1
- Allow files to be placed on S3/Swift HOT 5
- Make testsuite work HOT 2
- Act::Config shouldn't load the configuration files by default HOT 1
- Photo's aren't shown to the user HOT 1
- Not all static files are shown HOT 2
- Automate Makefile.PL / cpanfile creation HOT 1
- Use sqitch for DB management HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from act.