dhis2-devs team mailing list archive

Thread
Date

Re: Major changes to password handling

To: Halvdan Grelland <halvdanhg@xxxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Tue, 30 Sep 2014 16:25:02 +0100
Cc: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAM502UfBHTvi53MqYoF3J1hDHP4bUTU-CDse+1=k6NqPo=_S9g@mail.gmail.com>

Halvdan this looks excellent.  Computing a straight bcrypt hash is so much
stronger than the peculiar messy business which ended up in an md5 hash of
a weird java string hash.

This should also make it easier for those who have an interest in
generating password hashes outside of dhis - eg using python, R or what
have you.  I see the algoritihm for generating the hash is pretty standard
-
https://github.com/spring-projects/spring-security/blob/master/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoder.java
.  - thats a challenge to Jason to create a R version :-)

Its really great to say the effort you have gone to migrating from the old
hashes.  Lets hope it works - I presume you have tested well :-)

Cheers
Bob

On 30 September 2014 15:37, Halvdan Grelland <halvdanhg@xxxxxxxxx> wrote:

> Hi devs,
>
> Starting from trunk rev. 16881 (2.17 snapshot) we've made some major
> changes to the password handling scheme of DHIS 2. In short: all passwords
> and restore tokens are now stored as bcrypt hashes with random salts. This
> gives a great boost to security, but might carry some challenges for
> developers.
>
> All existing users in the DB are now being migrated to bcrypt hashes *on
> login*. In production this should work smoothly. However in a development
> context you might encounter the following situation:
>
>  - Logging in with any user on DHIS rev >= 16881 will change the password
> hash to the new scheme.
>  - A development branch which has not been merged with DHIS rev > 16881
> yet will then fail to authenticate the same user (both branches run on the
> same dev db) as the hash is not a valid MD5 digest anymore.
>
> I strongly suggest you merge any active development branches with trunk
> ASAP to avoid this conflict. You could also run any older branches on a
> different database (the provided sample data has not yet been altered to
> reflect the new scheme).
>
> Feel free to email me if you have any questions.
>
> Halvdan Grelland
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: Major changes to password handling
From: Halvdan Grelland, 2014-09-30

References

Major changes to password handling
From: Halvdan Grelland, 2014-09-30