Opened 4 years ago

Last modified 4 years ago

#537 assigned Bug / Defect

Local user storage (sqlite3) uses SHA256 for user passwords

Reported by: synfinatic Owned by: jamesyonan
Priority: major Milestone:
Component: Access Server Version: OpenVPN 2.0.x (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: security
Cc:

Description

Sorry, but unsalted SHA256 is very vulnerable to a dictionary attack in the userprop.db. You should use something more secure like scrypt or pbkdf2. Even bcrypt would be a lot better.

Change History (1)

comment:1 Changed 4 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned
Note: See TracTickets for help on using tickets.