MD5 password encryption is insecure #3

junhoyeo · 2019-01-05T18:56:07Z

var password = crypto.createHash('md5').update(req.body.password, 'utf8').digest('hex')

사용자 패스워드가 MD5로 해싱되어 저장된다.

취약한 이유

MD5는 더 이상 안전하지 않음(하드웨어 성능 개선 및 관련 공격 기술 등), End-Of-Life
참고: https://www.zdnet.com/article/md5-password-scrambler-no-longer-safe/
salted MD5도 좋은 생각이 아님: https://security.stackexchange.com/questions/19906/is-md5-considered-insecure

junhoyeo · 2019-01-06T11:47:52Z

현재 scrypt 적용을 고려하고 있다.

junhoyeo self-assigned this Jan 5, 2019

junhoyeo added the enhancement New feature or request label Jan 5, 2019

junhoyeo removed their assignment Jan 6, 2019

junhoyeo added invalid This doesn't seem right and removed invalid This doesn't seem right labels Mar 17, 2019

junhoyeo added this to To do in Busy March via automation Mar 17, 2019

junhoyeo moved this from To do to In progress in Busy March Mar 17, 2019

junhoyeo mentioned this issue Mar 18, 2019

fix(service): hash encryption with scrypt(scryptsy) #19

Open

junhoyeo moved this from Assigned To do to In progress in Busy March Mar 18, 2019

junhoyeo moved this from In progress to Assigned To do in Busy March Mar 18, 2019