Salted passwords

Hi,

is there a special reason, why user passwords are not salted? If someone hacks my website and dumps the database, it could get the correct passwords extremely fast using rainbow tables.

Best regards,
sewid

I completely agree with this. I will be a lot more secure if passwords would be salted.

This is slated for 2.1: http://bugs.modx.com/issues/325

It could not be done in the 2.0.x track because changing the password encryption methods will require all MODx installs to have their users reset their passwords on login to encrypt them in the new format. We didn’t want to have to do that for a 2.0.x release.

Quote from: sebasporto at Nov 22, 2010, 06:05 AM

I completely agree with this. I will be a lot more secure if passwords would be salted.

This is becoming more and more important. I’ve been reading reports about how lax small businesses are on internet security and it would be nice to sort-of head this off at the pass glad to hear it’s getting put into the new version!

Would having them Salted mean we can no longer change the password via the database ??

Only ask as that is one of my biggest hates about using interspire software as I often need to change passwords and I love the fact I can just log into PHPmyAdmin and do it from there in Modx ??

Cheers

From my understanding a salted password is an encrypted password with an additional security layer.

I *think* it has to do with a per-user defined "salt" (like a sort of key), which is used in the encryption process to make it harder to reverse them.


I don’t think you should ever change passwords through PHPMyAdmin while you can change it through the manager.

I don’t think you should ever change passwords through PHPMyAdmin while you can change it through the manager.

Agreed, but when you have to access a site that was built 3 years ago by a developer that no longer works for the company you sometimes have no choice

You’d still be able to change passwords via phpMyAdmin if they are salted, it’s just trickier. Man, I’ve had to hack into sooo many sites for clients that forgot them or developers who disappeared or whatever, e.g. http://tipsfor.us/2009/10/25/forgot-your-modx-password-you-can-reset-it/

If you have FTP access to a site, you could retrieve the salt, typically you’d just add it to your password, e.g. if your salt is ’1234abcd’, and you wanted to change your password to ’p@$$w0rd’, you’d actually store ’1234abcdp@$$w0rd’ in the database and hash that via MD5 or whatever algorithm is used. Or, you could also change the salt entirely, e.g. to a an empty string. Or, you could update the admin password in the database and then request a password reset. There are lots of ways to open backdoors.

Will the hash also change to a more secure one (e.g. SHA-512 or Whirlpool)?

Edit: Is PBKDF2 its own hash?

Some systems use md5(’password’ . ’32 salt’).
If this is the plan for Revo each user has to change the password. An admin can always use phpmyadmin to change it manually.