Improved password encryption?

This is a forum to suggest new features for mojoPortal. 

This thread is closed to new posts. You must sign in to post in the forums.
2/22/2014 2:21:14 PM
Gravatar
Total Posts 533
feet planted firmly on the ground

Improved password encryption?

I've had a situation where SHA512 salted password encryption didn't meet project requirements. Could/should mojoPortal switch to bcrypt.net ?

http://codahale.com/how-to-safely-store-a-password/ 

http://bcrypt.codeplex.com/

 

2/24/2014 9:54:23 AM
Gravatar
Total Posts 1195
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Improved password encryption?

I would say it might be best to jump straight to scrypt in that case. There's a C# implementation of it in the CryptSharp library. It uses the ISC license, which I'm not sure is compatible with mojoPortal, so Joe would have to review it to see if it works.

The most difficult thing would probably be backward compatibility for existing sites.

Jamie

2/24/2014 10:15:03 AM
Gravatar
Total Posts 18439

Re: Improved password encryption?

SHA512 is used for hashed password not encrypted. For encryption we are using whatever is built into the asp.net membership provider that is the base class for our mojoMembershipProvider. I believe it is based on the machinekey so sha1/AES is what I believe it uses.

I definitely think the hashed sha512 with random salt is the most secure.

I'm sorry if that doesn't meet the needs of your project but I have no near terms plans to implement any new encryption scheme in unless someone wants to sponsor it financially. BCrypt looks like an interesting project so I don't rule out ever using it but certainly not happening soon without financial incentive. 

It is ok with me if you use something else for your project to meet your requirements, I do not expect mojoPortal to be the best option for every project.

Joe

2/24/2014 1:39:35 PM
Gravatar
Total Posts 533
feet planted firmly on the ground

Re: Improved password encryption?

In this particular case it was a silly box tick thing, but I just thought I'd raise it with you as it's perhaps a factor that might make possible users go for other options, which would be a bad thing if it is not well-grounded. But I've not researched what other CMSs do.

PS and yes of course I should have said password hash and not encryption!  But from what I have read, the SHA512 + random salt alone is no longer considered sufficiently resilient without additional key stretching, so maybe it's one for the roadmap.

You must sign in to post in the forums. This thread is closed to new posts.