I vote for the annoy the users approach. >:)

Eek, Wallphone, that discussion you linked gives me chills. I hope Mark has had second thoughts about those comments in the last two years.

Personally I would prefer to see 1.1.5 delayed a bit rather than wait another 10 months to get this into 1.1.6. Vanilla isn't Ubuntu, the project isn't bound by an arbitrary release schedule.

As you pointed out, this has been a problem for well over two years. It should be clear that single-hashed md5 isn't anywhere near "industry standard" these days. I'm not trying to be a zealot about this, I just feel that Vanilla is riding the security FAILboat and needs to stop.

I'll take a look at doing the patch.

Maybe with Vanilla 1.2, but I think it should come when the corruption problem with conf/*.php files are over. We will also need a feature to reset all users' passwords.

Also, is it worth the trouble? It will be as secure as the salt key can be. If someone get access to the server, he's got the passwords' hashes and the salt key.

IANAC, but what he said ^^^. :)

why even bother with the whole 'password' replacement stuff? how about just tacking on the new system to the old; ie. reencrypting the existing hashes with, eg. sha + random (stored) salt, possibly several times. then you've got the added security of a hash mixture, and you save yourself a lot of hassle.

to clarity: freeze db activity for a short period, and run a one-time script to apply to new method to the existing hashes and insert salts. then glue the method on to the existing hash routine and start it up again.

ooo, you could even base the # of hash iterations off the salt. eg.function newhash($oldhash, $salt) //salt = really big integer
{
$r = $oldhash;

for($i = $salt % 50; $i >= 0; $i--)
$r = sha1($r.$salt);

return $r;
}then both the input /and/ the function would be dynamic.

edit2: and the verification key for cookies could be randomly generated each login with the IP address as a salt.

...then again, not sure how well that would go over with dynamic IP users...

edit3: /me is editing it into Authenticator class

That's would be perfect as long as it slow enough and doesn't reduce the entropy(?).

As long as we are suppose to be compatible with 4.1, you will have to use md5.

For the change, what about doing something like that:
ALTER TABLE Lum_User ADD TempPassword VARCHAR( 32 ) AFTER Password ;
SELECT UserID,Password FROM Lum_User WHERE TempPassword IS NULL LIMIT 0 , 10
UPDATE Lum_User SET TempPassword = $NewPassword WHERE UserID = $UserId
[...]
LOCK TABLES Lum_User WRITE;
ALTER TABLE Lum_User DROP Password;
ALTER TABLE Lum_User CHANGE TempPassword Password
// Only then does vanilla start using the new authenticator by changing a configuration setting
UNLOCK TABLES;


Dinoboff:

add a global salt key, empty by default. It is up to you to create it and to save it.

No global salt. The salt is a nonce, generated randomly every time a new password hash is created.

Add two columns to the user table: NewPassword (what should be length?) and SaltKey (unique, what should be the length? should it be of variable length?). Having a column for new password allow to update the passwords hashes by different stage; first you just wait that they log-in again, regenerate remember-me keys, remove all old password hashes.

Salt is part of the password hash, just like UNIX crypt. Don't add new columns, just extend the length of the current password column. If you really need to tell an old pw from a new one, use the length.

Update UserManager and User classes; to login a user, it would get his/her password hash, new password hash and salt key. If it has to use the old hash, it create the new hash and salt key and remove the old hash.

You do need to update UserManager (and two or three other places as well, I've found) to actually fetch the contents of the password field. But once you have the hash you can compare it to a straight md5 hash (or plaintext, there is code there for backward compatibility with plaintext passwords). If it matches, generate a new phpass hash and store it. If it doesn't match, validate the user-submitted password against the phpass hash. If it still doesn't match, login fails.

Update the installer and the updater for vanilla 0.9.x (should we bother?)

I wouldn't. Can you even download 0.9.x anymore? If the new patch is backwards compatible, don't bother.

Find a way to update vanilla 1.0.x and 1.1.x

See above. This can be made to upgrade invisibly as users log in.

Add a feature to regenerate all users' "remember me" keys.

Hadn't thought of that. Best might be to just blow them away. Users can suffer through the one-time inconvenience of having to log in again.

Add a feature to remove all old hashes and email all password-less users to update their password.

This might be tricky. You could try feeding the existing md5 hashes through phpass. That would work but it might take a long time. I don't know, I haven't done the performance tests myself.

Change the error message so that on a failed login, it might be that vanilla doesn't have their password any more.

If we decide it's best to blow away everyone's password we could add a check on login to see if that user's password is blank. If it's blank, show a "we're so sorry" message and do an automatic password reset by email.

SirNot:

why even bother with the whole 'password' replacement stuff? how about just tacking on the new system to the old; ie. reencrypting the existing hashes with, eg. sha + random (stored) salt, possibly several times. then you've got the added security of a hash mixture, and you save yourself a lot of hassle.

We can do this with phpass as well, just rehash the existing hashes. I think we don't want to use sha1 for the same reason we don't want md5, it's designed to be too fast. There is a fallback mode in phpass if your PHP doesn't have the mcrypt extension, but it iterates md5 + pseudo-random hash like a thousand times.

I know I keep saying phpass. I'm not married to it, I just know the most about it and I know other high-profile projects that use it. We really, really don't want to cook up our own system for this. The best system is one that was a) designed by people who spend lots of time thinking about security, and b) beat on by lots of other smart people. We get both of that in phpass in a convenient drop-in class.

@squirrel: I just pulled that % 50 out of my rear. you could do it as many times as you wanted; you could even alter the salt each iteration. eg.function HashPassword($password, $salt)
{
$r = md5($password);

$cursalt = $salt;
for($i = $salt % 10000 + 100; $i >= 0; $i--)
{
$r = md5($r.(string)$cursalt);

$cursalt = ($cursalt + 67343) % 2100000000;
}

return $r;
}(you'd think php would have the decency to automatically use a library if number values got too big, or at least keep int limitations independant of machine type...)

but yeah, if we wanted to ditch php users <= 4.1 we could use a cbc blowfish cipher instead. I'm hesitant to start juggling methods depending on php version b/c, especially with an outdated version like 4.1, it's likely a user will upgrade, which would mean we'd have to either update or reset the db yet another time.

I can't believe I was dumb enough not to realize the salt could be sort as part of the password though... I'll have to alter that. regardless we'd still need to update the db to allow for longer passwords.

ok, heh, I've realized that basing the function off the salt is useless, as there will be a 1:1 ratio between them, leading to no increase in variation. however, varying the function via the password+salt, while also adding no net variance, would at least add overhead (albeit small) to any attempted attack. but besides increasing variation in how the hash is generated, the only other component I can see affecting attacks would be the time to run the algorithm... is there anything I've missed?

@squirrel: I've looked at phpass, and considering the knowledge that's behind the salt generation it may be a better route to take in the end, but I'd like explore this whole region a little first. you can probably tell by my comment about a diff clone that I always have to try inventing things myself :-P

hrm, more and more I'm thinking a slightly modified version of phpass might be best. everything that I keep suggesting or going to suggest -- such as algorithm identification stored in the password, so no 'migration' is necessary on the users' part -- is already implemented by phpass. I think I'll look into integrating that as a PasswordHash class.

That's perfect.

the db will still have old md5 hash, but we can leave for Vanilla 1.1.6 or for an extension the job to delete all old md5 hash.

yep, it is what I meant

Put up a new version that actually works. Fun!

http://www.digitalsquirrel.com/vanilla/phpass.diff

Do you have a diff of just the password-related changes? There are a lot of changes from rc2 to this zip and it's hard to tell which are specifically password related.

One problem I can see is People.Class.PasswordHash.php. I don't think it's a good idea to make modifications to the phpass code. It's not necessary, it risks introducing bugs to code that we didn't write and it will make it more difficult to drop in any future revision of phpass.

On the whole it's a much more extensive modification than I was thinking of. I know I've been advocating this change for 1.1.5 but I was hoping we could do it more surgically.

Since I changed the protocol of the UserManager and Authenticator classes, it should probably only be added to Vanilla 1.2 or the call to the authenticator from the user manager should be copied to the user manager (and removed in 1.2) and vice-versa.

For the modifications to PasswordHash, they are just in the constructor, they would be easy to track. I could just extends it. But since I wasn't sure the settings are that useful (Can you change the settings after some password has been created?) I might just remove them.

Here are the diffs between 1.1.4 and 1.1.5-rc3:

http://dl.getdropbox.com/u/83967/framework.diff
http://dl.getdropbox.com/u/83967/people.diff - most of it is related to password storage change.
http://dl.getdropbox.com/u/83967/vanilla.diff

You gave me a diff with an outdated version of People. I removed the wrapper like you suggested but didn't add the extra argument on the authenticator method, instead I added a method to check the password. If someone use an outdated version of Authenticator, it will fail instead of having the UserManager doing extract stuff when it should have just check the password.

There are not supported but the methods and the signatures they are suppose to support are:
- Authenticator::Authenticate($Username, $Password, $PersistentSession)
- Authenticator::DeAuthenticate()
- Authenticator::GetIdentity()

Vanilla expect them and no more. (I think it should also manage the creation and modification of the credentials, instead of having them in the UserManager; UserManager for the credentials part should only be responsible of saving them in the user table - in the case on the default authenticator).

Sirnot's patch, yours and mine change them or add some methods and it could affect some forum.

Here is the diff between r108 (rc2) and r115 of people:
http://dl.getdropbox.com/u/83967/people-diff-108-115.diff

I removed the modification to PasswordHash and moved all modifications of the Authenticator protocol to the UserManager.

The comparison of the password is only a method shared by Authenticator::Authenticate(), UserManager::ChangePassword() and UserManager::ResetPassword(). Since we can't really change the Authenticator interface (not in Vanilla 1.1.x), I put them in the UserManager.

Authenticators that will get broken are the one that use Vanilla password but need the authenticator to do extra-stuff. I don't see any way to avoid it. It wouldn't have been a problem if the authenticator had also been managing the change and reset of the password or if UserManager::ChangePassword() and UserManager::ResetPassword() had been using Authenticator::Authenticate() for the authentication part of their job.

To not break any installation we could add a setting to turn on the new storage; Change the Authenticator interface in Vanilla 1.2 and then have the new storage on by default.

Yeah, that would work.

I'm not crazy about Authenticator creating its own UserManager object. Now there's an extra copy of UserManager that just hangs around all the time. I guess it doesn't matter because UM doesn't have any internal state but it feels clunky. I just can't think of any better way that doesn't change the signature of Authenticate().

It looks like this would do the job.

Is there a way to keep the md5-Hashes and still use md5? Because I set up a linuxserver on witch the user can authenticate against the vanilla-database and as far as I can see non of the 3 new password hash functions is available on linux especially on pam-mysql (http://pam-mysql.sourceforge.net/) witch cannot handle salts.

Here are the details:

// extensions/Md5authenticator/default.php
<?php
/*
Extension Name: Md5Authenticator
Extension Url: http://lussumo.com/community/?CommentID=90404
Description: Replace Vanilla Authenticator to only use md5 hash
Version: 0.1.1
Author: Damien Lebrun
Author Url: N/A
*/

global $Context;

// Check for Vanilla 1.1.5 and that we didn't already installed our authenticator
if (array_key_exists('AUTHENTICATION_CLASS', $Context->Configuration)
&& $Context->Configuration['AUTHENTICATION_MODULE'] !== 'Md5Autehnticator'
) {
AddConfigurationSetting($Context,
'AUTHENTICATION_MODULE', '../extensions/Md5authenticator/Authenticator.php');
AddConfigurationSetting($Context,
'AUTHENTICATION_CLASS', 'Md5Authenticator');
}

// extensions/Md5authenticator/Authenticator.php
<?php

if (!defined('IN_VANILLA')) exit();

global $Configuration;

include_once $Configuration['LIBRARY_PATH'] . '/People/People.Class.Authenticator.php';

class Md5Authenticator extends Authenticator {
function Md5Authenticator(&$Context) {
$this->Context = &$Context;
$this->PasswordHash = new Md5Hash($Context);
}
}

class Md5Hash {
var $Context;

function CheckPassword($User, $Password, $RegenerateHash=1) {
if ($Password && $User->Password !== '*') {
if (md5($Password) === $User->Password) {
return true;
} else if ($Password === $User->Password ) {
if ($RegenerateHash) {
$this->SetNewPassword($User, $Password);
}
return true;
}
}
return false;
}

function HashPassword($Password) {
return md5($Password);
}

function Md5Hash(&$Context) {
$this->Context =& $Context;
}


function SetNewPassword($User, $Password) {
$UserManager = $this->Context->ObjectFactory->NewContextObject(
$this->Context, 'UserManager');
$User->Password = $this->HashPassword($Password);
return $UserManager->SaveUserCredentials($User);
}
}


Sorry, I mixed the version I wrote and the one I debugged.

I updated the post. Her is the archive:
http://dl-client.getdropbox.com/u/83967/Md5authenticator-0.1.1.zip

If you already upgraded to 1.1.5 I need to do a little change to support this case...

Very nice. Thank you.