Opened 9 years ago
Closed 5 years ago
#537 closed Bug / Defect (fixed-external)
Local user storage (sqlite3) uses SHA256 for user passwords
Reported by: | synfinatic | Owned by: | jamesyonan |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Access Server | Version: | OpenVPN 2.0.x (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | security |
Cc: |
Description
Sorry, but unsalted SHA256 is very vulnerable to a dictionary attack in the userprop.db. You should use something more secure like scrypt or pbkdf2. Even bcrypt would be a lot better.
Change History (2)
comment:1 Changed 9 years ago by
Owner: | set to jamesyonan |
---|---|
Status: | new → assigned |
comment:2 Changed 5 years ago by
Resolution: | → fixed-external |
---|---|
Status: | assigned → closed |
Note: See
TracTickets for help on using
tickets.
Just reviewing and closing old tickets that were left open in the community site, although these were already copied into our internal tracking system and handled there.
Yes, other hashing methods are better, and we'll consider doing that. However to get them, you will have to have root access to the server already, so the priority of this improvement is low and therefore put into backlog.