🌍
English
Announcement
- [2024-04-17] Piwigo 14.4.0
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
#1 2016-05-26 03:29:14
- jimav
- Member
- 2016-05-26
- 3
Please implement good password security
Hello,
This is a request that both piwigo.org and the pigigo gallery software stop sending passwords in emails, and adopt modern methods of password management wherein passwords are *never stored anywhere*, but only cryptographic hashes of them, etc. so that in the event of a data breach everyone's password is not immediately compromised (this technique has been known since the 1970s, and to my knowledge is the only known safe technique).
For those not familiar with password hashing, here are some references:
https://crackstation.net/hashing-security.htm
http://blog.conviso.com.br/worst-and-be … d-storage/
(I just found these with a simple Google search).
Currently, the piwigo gallery software, immediately upon activation, sends an email to the administrator with the admin's password in plain text. The piwigo.org forum registration does similarly. This is a really bad practice because normal email is not secure; even if you aren't concerned about the NSA capturing your emails as they transit the Internet, your email provider stores your emails for an indefinite time, and if you aren't very careful your local email client (e.g. Thunderbird) will also store your "deleted" emails. Any way you look at it, email is just the wrong place for sensitive information. As noted above, there's really no safe place to store passwords as such, so they should never be stored (only the derived hashes).
Offline
#2 2016-05-26 09:45:44
- flop25
- Piwigo Team
- 2006-07-06
- 7037
Re: Please implement good password security
Hello
password are already hashed And salted And that can be even changed if you are not yet satisfied
[Github] Piwigo file include/config_default.inc.php@L522
[Github] Piwigo file include/functions_user.inc.php@L1004
then if the server is not secured for email, it's very likely it will be unsecured too for receiving the password from the client
To get a better help : Politeness like Hello-A link-Your past actions precisely described
Check my extensions : more than 30 available
who I am and what I do : http://fr.gravatar.com/flop25
My gallery : an illustration of how to integrate Piwigo in your website
Offline
#3 2016-05-27 04:47:22
- jimav
- Member
- 2016-05-26
- 3
Re: Please implement good password security
I'm glad to hear that passwords are hashed and salted -- but still surprised that after going to that trouble the plain-text passwords escaped to disk storage and emails.
> if the server is not secured for email, it's very likely it will be unsecured too for receiving the password from the client
There is where I disagree, for the following reasons:
1. It is impossible for the server to control outgoing email security. Even if the server is absolutely hack-proof (in which case hashing passwords would be unnecessary...) the server has no control over how outgoing emails are secured after departure. They will be stored at every SMTP server along the way, and finally in long-term storage at yahoo, hotmail, aol, or [pick your favorite 'big name' with a history of major data breaches]. And, finally, the email is often stored on the user's laptop, e.g. in Deleted, Trash, Archive, or similar folder.
2. Passwords sent during login exist only in RAM and in network packets, which if sent over https are encrypted. If the login software is careful to immediately hash the input and then erase the plain-text, before it can be stored on disk, then the risk of compromise is very small.
Thanks for listening.
Offline