Verdaccio: [SECURITY] Insecure password hashing
My reason:
- I saw
sha1is used for hashing the password, yet it's a deprecated insecure hashing algorithm, next to that it's not meant for hashing passwords!!! - If the above wasn't bad enough, you don't even use a salt --> https://github.com/verdaccio/verdaccio/blob/6d8d05b0ccbedcf38868e65c226400c66783a4f2/lib/plugins/htpasswd/utils.js#L57
App Version:
all
Solution
use a hashing algorithm made for password hashing: (pbkdf2, bcrypt, scrypt).
I would suggest bcrypt (npm bcrypt), It will automatically take care of adding a salt!
Conclusion
get your crypto together this app is highly insecure currently
rmi7
All 4 comments
I think the code is just confusing and should probably be re-written.
If you trace through what actually happens, crypt3 is required, and used by default, and that uses sha512 with a salt. So it is secure. Just needs a re-write for clarity.
jmwilkinson
on 18 May 2017
👍1
Something to have on mind for #192
juanpicado
on 18 May 2017
https://github.com/verdaccio/verdaccio/releases/tag/v3.0.0-beta.6 includes bcrypt support
juanpicado
on 3 Apr 2018
🎉1
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 18 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
aprasadh
路
3Comments
kenske
路
4Comments
ianschmitz
路
3Comments
radubrehar
路
4Comments
kopax
路
3Comments