Webmin: Security Feature: Replace MD5 for password-hashing

Created on 1 Feb 2018  路  4Comments  路  Source: webmin/webmin

MD5 is an algorithm, which is too fast for secure password hashing. An attacker could brutforce it very quickly compared to other algorithms.
An hashing algorithm with higher CPU-consumption would be more secure.

Most helpful comment

SHA512 support has been implemented for inclusion in the next Webmin release.

All 4 comments

Good idea ... webmin does support this for /etc/passwd, but not for it's own passwords in /etc/webmin/miniserv.users .

What hashing scheme would you consider more secure?

I would consider e.g. PBKDF2 with SHA-512:
http://search.cpan.org/~dagolden/PBKDF2-Tiny-0.005/lib/PBKDF2/Tiny.pm
with a strong salt:
http://search.cpan.org/~ddick/Crypt-URandom-0.36/lib/Crypt/URandom.pm

if those modules are compliant with the webmin licence.

This is an outstanding description of security in Hashing-Algorithms:
https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords#answer-31846

Thanks - we will work on this, and update this bug when it's done

SHA512 support has been implemented for inclusion in the next Webmin release.

Was this page helpful?
0 / 5 - 0 ratings