dhis2-users team mailing list archive

Thread
Date

Re: Editing Usernames

To: Edward Ari Bichetero <ebichete@xxxxxxxxx>
From: Jason Pickering <jason.p.pickering@xxxxxxxxx>
Date: Tue, 4 Sep 2012 23:21:12 +0800
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1346765582.17104.YahooMailNeo@web32508.mail.mud.yahoo.com>

Hi Edward,

It does not. There is not any random salt, but the password is salted with
the username. This method only attempts to prevent brute force attacks
where the user would have to develop a password dictionary for each user. A
random salt might be a better option, something to explore. However, the
most important issue with DHIS2 is that usernames/passwords must be
transmitted over SSL and that logs regularly monitored against brute force
attacks. Usually however, we see much more attacks on the server itself
than the application (usually dozens or hundreds a day).

Regards,
Jason




On Tue, Sep 4, 2012 at 9:33 PM, Edward Ari Bichetero <ebichete@xxxxxxxxx>wrote:

> Hello Bob,
>
> I hope the password hash uses a random component to 'salt' (permute) the
> hash in addition
> to the username, not just the username itself. Otherwise, this would
> present a cryptographic
> vulnerability into the system and any other systems where the user uses
> the same
> username/password combination. Especially, for usernames such as "root"
> and "admin".
>
> - Edward -
>
>  ----- Original Message -----
> From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
> To: Muhire Andrew <muhireandrew@xxxxxxxxx>
> Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
> Sent: Thursday, August 30, 2012 12:22 PM
> Subject: Re: [Dhis2-users] Editing Usernames
>
> Hi Andrew
>
> A problem with modifying the username is that the password hash is
> also encoded and saved using the username as part of the hash
> algorithm.  So in order to modify the username you would also need to
> reenter the password in order for it to be re-encoded.  This might be
> problematic - even superusers don't necessarily know the passwords of
> the users.
>
> Bob
>
> On 30 August 2012 08:29, Muhire Andrew <muhireandrew@xxxxxxxxx> wrote:
> > Hi all,
> >
> > Dear dhis2 Users, i would suggest in DHIS2 to give
> administrator/superusers
> > rights for modifying the existing username. At the moment its not
> possible.
> > I think this can be helpful in case you need to make modifications on
> some
> > usernames without deleting the whole staff.
> >
> > NB: only superusers, Because other users can make it worse. since most of
> > these usernames are created with central level system administration
> > standards.
> >
> > Thanks!
> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: Editing Usernames
From: Bob Jolliffe, 2012-09-04

References

DHIS2 Exportation of facility layer
From: Toni Bugser, 2012-08-27
Re: DHIS2 Exportation of facility layer
From: Jan Henrik Øverland, 2012-08-28
Editing Usernames
From: Muhire Andrew, 2012-08-30
Re: Editing Usernames
From: Bob Jolliffe, 2012-08-30
Re: Editing Usernames
From: Edward Ari Bichetero, 2012-09-04