dhis2-users team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Jason is right.  The password is concatenated with a (weak) one way
hash of the username (java.String.hashCode) and the md5 hash is
calculated from that.  It's not particularly cryptographically sound
in today's day and age but is a legacy piece of code which we might
and perhaps should consider updating for new passwords (whilst still
supporting the existing ones).

As a related aside, in Rwanda I advised system administrators to
remove the "admin" user after they had created 2 or 3 users with
superuser roles.  Retaining an "admin" user simply increases your
attack surface and encourages bad non-auditable practice.

I do also agree with Jason that the larger risk is the security of the
server and the network traffic.

Regarding the number of attacks daily (particularly on ssh) I find
that the simple measure of always moving sshd from port 22 to some
other port reduces this number significantly.

Bob

On 4 September 2012 16:21, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:
> Hi Edward,
>
> It does not. There is not any random salt, but the password is salted with
> the username. This method only attempts to prevent brute force attacks where
> the user would have to develop a password dictionary for each user. A random
> salt might be a better option, something to explore. However, the most
> important issue with DHIS2 is that usernames/passwords must be transmitted
> over SSL and that logs regularly monitored against brute force attacks.
> Usually however, we see much more attacks on the server itself than the
> application (usually dozens or hundreds a day).
>
> Regards,
> Jason
>
>
>
>
> On Tue, Sep 4, 2012 at 9:33 PM, Edward Ari Bichetero <ebichete@xxxxxxxxx>
> wrote:
>>
>> Hello Bob,
>>
>> I hope the password hash uses a random component to 'salt' (permute) the
>> hash in addition
>> to the username, not just the username itself. Otherwise, this would
>> present a cryptographic
>> vulnerability into the system and any other systems where the user uses
>> the same
>> username/password combination. Especially, for usernames such as "root"
>> and "admin".
>>
>> - Edward -
>>
>> ----- Original Message -----
>> From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> To: Muhire Andrew <muhireandrew@xxxxxxxxx>
>> Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
>> Sent: Thursday, August 30, 2012 12:22 PM
>> Subject: Re: [Dhis2-users] Editing Usernames
>>
>> Hi Andrew
>>
>> A problem with modifying the username is that the password hash is
>> also encoded and saved using the username as part of the hash
>> algorithm.  So in order to modify the username you would also need to
>> reenter the password in order for it to be re-encoded.  This might be
>> problematic - even superusers don't necessarily know the passwords of
>> the users.
>>
>> Bob
>>
>> On 30 August 2012 08:29, Muhire Andrew <muhireandrew@xxxxxxxxx> wrote:
>> > Hi all,
>> >
>> > Dear dhis2 Users, i would suggest in DHIS2 to give
>> > administrator/superusers
>> > rights for modifying the existing username. At the moment its not
>> > possible.
>> > I think this can be helpful in case you need to make modifications on
>> > some
>> > usernames without deleting the whole staff.
>> >
>> > NB: only superusers, Because other users can make it worse. since most
>> > of
>> > these usernames are created with central level system administration
>> > standards.
>> >
>> > Thanks!
>> >
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help   : https://help.launchpad.net/ListHelp
>>
>