Changes between Version 1 and Version 2 of PasswordHash


Ignore:
Timestamp:
Feb 16, 2018, 2:56:41 PM (7 years ago)
Author:
Kevin Reed
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • PasswordHash

    v1 v2  
    66}}}
    77This is no longer considered to be secure for storage of passwords.   Brute force attacks on md5 hashed passwords are possible due to the speed that md5 hashes can be computed.  As a result, in the event that  the database of a BOINC project were compromised, the passwords would be at risk of being cracked.
    8 
    9 Due to the fact that the md5 hash of the password is computed on the client (when a user is attaching to a project), any change made to the hash algorithm will take several years before the md5 hash can be fully sunset.  As a result, it is important to get started on this change.
    10 
    11 This change will need to adhere to the follow goals:
    12 
    13  1. A old client         should be able to register a user and/or attach a user to a old         project
    14 
    15  1. A old client         should be able to register a user and/or attach a user to a updated         project
    16 
    17  1. A updated         client should be able to register a user and/or attach a user to a         old project
    18 
    19  1. A updated         client should be able to register a user and/or attach a user to a         updated project
    20 
    21  1. A updated         project should have all passwords stored using the new hash         algorithm
    228
    239= New Hashing Function =
     
    7662
    7763= Changes =
    78 The client will not require any changes nor will external systems that use the Web RPCs. 
     64The client will not require any changes nor will external systems that use the Web RPCs.
    7965
    8066The website will need to be changed in order to add the new logic to validate and rehash a password and to use the new hash algorithm when stored in the database.