New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One of these things is not like the other #1193
Comments
Hi @paragonie-scott thanks for the recommendation we help us make Directus more secure. To be honest we've been aware of the use of We will take some time to work on security issues, which is also important. |
I can sympathize with having all your spare time accounted for with bug fixing, etc. As a security researcher, however, I do take issue with products claiming to adhere to best practices and then, it turns out, actually don't. Security is hard. Cryptography is one of the more annoying aspects of security, where things like "comparing strings" can lead to disastrous results. Unless you happen to have access to security expertise through the community or on a contract basis, it would be wise to reword that section so you don't give your users a false sense of security. |
@paragonie-scott – Absolutely, we 100% agree. We've been chatting with a few folks adept in security (always looking for more!) and are moving into big security update/push over the next few weeks. Security audits/experts aren't cheap and being open-source we're always looking for community specialists who are interested in assessing/contributing to our framework. If you have any interest in providing insight or pull-requests we'd love to chat with you further. Just sent you a Slack invite just in case ;) In the meantime we'll look into adjusting the copy on our marketing site to better reflect the current state of our auth. |
directus/api/core/Directus/Auth/Provider.php
Lines 212 to 215 in bb359eb
Not only are you not following best practices for user authentication, that particular arrangement (
sha1(salt || password)
) is a classic setup for a length-extension attack.Also, don't use
uniqid()
as a salt generator.Recommendations:
The text was updated successfully, but these errors were encountered: