[support] Passwords in Drupal
Daniel Carrera
daniel.carrera at zmsl.com
Fri Oct 3 18:37:48 UTC 2008
Hello,
This isn't a question but rather a comment. I'm not sure if this is the
right list to bring this up. I just noticed that Drupal stores user
passwords as a simple MD5 sum: md5($password)
Sure, MD5(passwd) clearly beats plain text, but I was hoping for
something better. In particular, I was hoping to see secure salts and
maybe other security features. The current system has vulnerabilities.
You can compute the hashes for a standard dictionary of passwords and
compare the hashes. Some passwords are very common ("password" and
"password1"). I just tried it on my system an I found 6 users whose
password is password. Because MD5 is a very cheap function and there are
no salts, a dictionary attack is quite easy.
I understand that there are already millions of Drupal users and you
can't drop MD5(pass). But I can still suggest a simple upgrade path that
results in a secure hash. A future version of Drupal (e.g. Drupal 7)
could use a hash of the form:
$salt = "uqYmV7yoUFYLQ5AspBK"; // Anything long and random is fine.
$hash = hash_hmac('sha1', md5($passwd), $user_id . $salt);
There, simple. The last parameter the key, but we only use it as a salt.
Notice how each user gets a different salt. This makes dictionary
attacks more difficult. I use HMAC rather than SHA1 because it has great
key-mixing properties. With SHA1 the salt ($user_id.$salt) would have
important weaknesses.
If a future version of Drupal used this hash, it would be easy to
migrate users from previous versions of Drupal. The upgrade.php program
would grab the password field - MDF(pass) - and user id of each user,
compute the new hash, and store that back into the password field.
For brownie points we could add another step that runs the hash through
a slower compression algorithm like Blowfish or Serpent. The idea is
that if computing a hash is more expensive, we can foil dictionary
attacks more effectively.
What do you think?
Daniel.
More information about the support
mailing list