Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure password storage #3

Open
rieck-srlabs opened this issue Mar 22, 2024 · 4 comments
Open

Insecure password storage #3

rieck-srlabs opened this issue Mar 22, 2024 · 4 comments

Comments

@rieck-srlabs
Copy link

Issue Description

Webtag uses the following code (called by getValidPassword) to store and hash passwords:

const hashString = (str) => {
	return crypto.createHash("sha256", config.SECRET).update(str).digest("hex");
};

I guess this is supposed to include a secret / salt (config.SECRET) in the hash computation. Node's crypto.createHash however does not take a salt. The current code just performs a single vanilla SHA-256 computation:

Notice that the output using a "salt" (supersecret) and using no salt is identical:

> password = 'hunter2'
'hunter2'
> crypto.createHash("sha256", "supersecret").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'
> crypto.createHash("sha256").update(password).digest("hex")
'f52fbd32b2b3b86ff88ef6c490628285f482af15ddcb29541f94bcf526a3f6c7'

Passwords are stored unsalted, hashed just once with SHA-256.

Remediation

Follow proper guidance here and use Argon or at least PBKDF2 with many iterations.
@vasanthv
Copy link
Owner

@rieck-srlabs Thanks for the suggestion. Will look into it. What will happen to the existing users who are already created? Do we need to ask them to create new password?

@aadityabhatia
Copy link

aadityabhatia commented Mar 23, 2024
edited

Just curious - why not OAuth? To me, creating / managing yet another password is a barrier to entry, but being able to login with my GitHub (just identity, no permissions), for example, would be a really simple thing to do. It would also allow you to offload user/password management to another provider and focus on your core product.

@aadityabhatia
Copy link

Disregard my last comment. Just saw issue #4.

@rieck-srlabs
Copy link
Author

What will happen to the existing users who are already created? Do we need to ask them to create new password?

You'll have to migrate them. Asking them to reset their own password would work, but you could also:

  1. Add a passwordVersion enum to the userSchema with v1 (current password hashing) and v2 (more secure setup)
  2. Add code to logIn that handles both v1 and v2, but that migrates users from v1 to v2 on login (you have the plaintext password then). Alternatively, update all other functionality to use v2, so that any password reset will use the improved setup.
  3. Modify the production database accordingly, setting all current users to v1.
  4. Wait for users to login and upgrade their password version.
  5. Remove migration code once there are no longer any v1 users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aadityabhatia @vasanthv @rieck-srlabs