57
Root
2y

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

Comments
  • 20
    Good on you for actually giving a fuck
  • 3
    Thank you
  • 5
    I hooe the company appreciates what a Fing asset you are
  • 7
    And then you’ll have to deal with all the bitching from the admin type folk who are so fucking useless they get locked out constantly 😆
  • 10
    @badcopnodonuts Truth. There's no "forgot password" flow either. Not looking forward to writing that.
  • 3
    Why would anyone ever do a fixed salt? It's easy to generate a random string and save it in the database....
  • 5
    @AlgoRythm I think it's actually called "pepper", but one should use it with conjunction with salt. If you don't have app sources and its config (which contains pepper used) but only the DB, cracking those passwords is more painful because you have to figure out the pepper.
  • 1
    @gronostaj that's interesting
  • 0
    Could someone please tell me what would be the proper way of salting and storing the hashes? I haven't really studied security much.
  • 0
    @Ansis I use BCrypt without any salt
  • 1
    @theunknownguy bcrypt automatically salts passwords. I'm a bit concerned that you are convinced that you're not salting passwords, consider it okay and recommend this approach to others. Maybe it's time to update your basic password handling knowledge?
  • 0
    @gronostaj wow calm down mate, where did I mention I was recommending the other person? Where did I mention BCrypt does or does not salt the password?
  • 1
    @theunknownguy

    > Ansis: Could someone please tell me what would be the proper way of salting and storing the hashes?

    > You: @ Ansis I use BCrypt without any salt

    I didn't mean to offend you, it was just an honest suggestion.
Add Comment