Issue with password hashing without a salt
Opened this issue · 2 comments
Hi @kobero98,
Thanks for sharing the repository and it's a nice one.
I noticed one issue - the following program hashes then stores passwords without a salt:
Travelbook/src/main/java/travelbook/controller/ControllerLogin.java
The code is:
private String passwordHash(String pswd)throws Exception {
MessageDigest hasher=MessageDigest.getInstance("SHA-1");
hasher.update(pswd.getBytes("UTF-8"));
return toHex(hasher.digest());
}
SHA-1 is considered to be obsolete and unsafe since 2016. And hashed passwords without a salt are vulnerable to dictionary attacks. This type of vulnerabilities is categorized as CWE-759: Use of a One-Way Hash without a Salt. I've submitted a Pull Request with the modified code adding a random salt to the SHA256 hash. Please consider to merge the PR.
Thanks,
@luchua-bc
Any update on the request? Thanks.
Hi, we are really glad you appreciated our project, and really appreciate your help. Unfortunately, we can't accept any pull request because this is a project for college and our teachers wouldn't exactly appreciate grading us for a work that isn't completely ours