Issue with password hashing without a salt

Question

Issue with password hashing without a salt

Opened this issue 4 years ago · 2 comments

luchua-bc commented 4 years ago

Hi @kobero98,

Thanks for sharing the repository and it's a nice one.

I noticed one issue - the following program hashes then stores passwords without a salt:

Travelbook/src/main/java/travelbook/controller/ControllerLogin.java

The code is:

       private String passwordHash(String pswd)throws Exception {
               MessageDigest hasher=MessageDigest.getInstance("SHA-1");
               hasher.update(pswd.getBytes("UTF-8"));
               return toHex(hasher.digest());
       }

SHA-1 is considered to be obsolete and unsafe since 2016. And hashed passwords without a salt are vulnerable to dictionary attacks. This type of vulnerabilities is categorized as CWE-759: Use of a One-Way Hash without a Salt. I've submitted a Pull Request with the modified code adding a random salt to the SHA256 hash. Please consider to merge the PR.

Thanks,
@luchua-bc

Answer 1 · 2021-02-04T15:21:39.000Z

Any update on the request? Thanks.

Answer 2 · 2021-02-07T14:33:44.000Z

Hi, we are really glad you appreciated our project, and really appreciate your help. Unfortunately, we can't accept any pull request because this is a project for college and our teachers wouldn't exactly appreciate grading us for a work that isn't completely ours