[ZBX-9871] Migrate DB Password hashing to SHA256 Created: 2015 Sep 11 Updated: 2017 May 30 Resolved: 2015 Sep 13 |
|
| Status: | Closed |
| Project: | ZABBIX BUGS AND ISSUES |
| Component/s: | Frontend (F) |
| Affects Version/s: | 2.2.10 |
| Fix Version/s: | None |
| Type: | Incident report | Priority: | Trivial |
| Reporter: | Daniel Ennis | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
I noticed that user passwords are stored in the database using an unsalted md5 hash for the internal authentication. This is generally accepted as bad practice and broken, as md5 hashes can be cracked in a trivial amount of time. I propose that Zabbix migrate to a salted sha256 hashing scheme to improve user password security. It would be trivial to do by simply adding another column that marks what scheme the password is hashed with (defaulting to md5 for existing users), and on login / change of password, switch to a sha256 hash and update the hash column accordingly when md5 is used. Since 2.2 is LTS, would really like for it to happen in 2.2. |
| Comments |
| Comment by Marc [ 2015 Sep 12 ] |
|
Sounds like a duplicate of |
| Comment by richlv [ 2015 Sep 13 ] |
|
thanks, closing as a duplicate of |