Opened 4 years ago

Closed 2 months ago

#537 closed Bug / Defect (fixed-external)

Local user storage (sqlite3) uses SHA256 for user passwords

Reported by: synfinatic Owned by: jamesyonan
Priority: major Milestone:
Component: Access Server Version: OpenVPN 2.0.x (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: security
Cc:

Description

Sorry, but unsalted SHA256 is very vulnerable to a dictionary attack in the userprop.db. You should use something more secure like scrypt or pbkdf2. Even bcrypt would be a lot better.

Change History (2)

comment:1 Changed 4 years ago by Samuli Seppänen

Owner: set to jamesyonan
Status: newassigned

comment:2 Changed 2 months ago by novaflash

Resolution: fixed-external
Status: assignedclosed

Just reviewing and closing old tickets that were left open in the community site, although these were already copied into our internal tracking system and handled there.

Yes, other hashing methods are better, and we'll consider doing that. However to get them, you will have to have root access to the server already, so the priority of this improvement is low and therefore put into backlog.

Note: See TracTickets for help on using tickets.