PBKDF2-HMAC-SHA1 password hashing for TF-Login

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

PBKDF2-HMAC-SHA1 password hashing for TF-Login

Pierce Ng-3
Hi all,

I've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to
replace the existing simple and insecure SHA1-based password hashing
scheme.

To load, start with fresh Pharo 7 image:

    "First load Seaside."
    Metacello new
        baseline: 'Seaside3';
        repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
        load.
       
    "Then load TF-Login."
    Metacello new
        baseline: 'TFLogin';
        repository: 'github://PierceNg/TF-Login:password/src';
        load.

As originally implemented, TF-Login also supports cookie-based auto-login,
which works by storing username and the SHA1-hashed password in client
cookies. This scheme is certainly not secure by current standards and can't
be used together with PBKDF2-HMAC-SHA1 password hashing.

Possible future work on TF-Login password management:

- OAuth2, to replace the existing insecure cookie-based auto-login

- 2FA

Pierce
_______________________________________________
seaside mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside