[TRANSLATE-3051] Add SALT to MD5 user password (4.4) - translate5 JIRA issue tracker

Type: Bug
Resolution: Fixed
Fix Version/s: translate5 - 5.7.10
Affects Version/s: None
Component/s: User Management

Urgency:
Critical
Important release notes:
Ensure that a DB backup is done. All user passwords will get additionally encrypted with a random secret (pepper) created and stored in the installation.ini
ChangeLog Description:
The user passwords are now stored in a more secure way.
Checklist:

Empty

show more show less

The user passwords are now stored in a more secure way.

Also the password hash mechanism is changed from less secure md5 hashes to more secure cryptographic methods - including a salt.

Additionally a random secret is created and stored in the installation.ini.

The secret is not in the config in DB, so that in case of SQL injection the passwords still are encrypted with that secret on the disk.

All user passwords are additionally encrypted with that secret, so when loosing or changing that secret all users has to change their passwords!

blocks

TRANSLATE-2217 List refactoring and code maintenance needs in translate5

Selected for dev

Assignee:: Thomas Lauria

Reporter:: Marc Mittag [Administrator]

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 10/Sep/2018 07:49

Updated:: 23/Apr/2024 05:09

Resolved:: 14/Sep/2022 10:58