Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-201

INSECURE PASSWORD STORAGE

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      LB QA - LB Deployed
    • Issue Importance:
      Must Have

      Description

      Impact
      Encrypting passwords is an insecure method of storing passwords. By storing the key to these passwords, WORKTERRA has direct access to user passwords. If a malicious user with elevated access or a malicious employee wanted to view user passwords, that individual could do so by using the encryption key to decrypt passwords. The ability to decrypt passwords adds significant risk to the users of WORKTERRA's application in the event of a data compromise.

      Verification and Attack Information
      Praetorian confirmed that passwords were encrypted using AES-256 through an interview with the application’s developers.

      Recommendation
      Use a Password Based Key Derivation Function (PBKDF) to store hashes of passwords as an alternative to storing in encrypted passwords. Praetorian recommends using one of the following algorithms (in order of preference): Scrypt, Bcrypt, or PBKDF2.

      References
      https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
      https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
      http://codahale.com/how-to-safely-store-a-password/

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          11 older comments
          Hide
          Permalink
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Hi Venkatesh Pujari,
          This issue was because of same company was given to multiple databases.
          I have renamed one in-active company name. Now you can test on it.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Hi Venkatesh Pujari , This issue was because of same company was given to multiple databases. I have renamed one in-active company name. Now you can test on it.
          Hide
          Permalink
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          I have verified forgot password for Employee login on CST for Hspl company on stage but this is not working as per implementation please look into this and assign this ticket to me once fixed.

          Thanks,
          Venkatesh

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, I have verified forgot password for Employee login on CST for Hspl company on stage but this is not working as per implementation please look into this and assign this ticket to me once fixed. Thanks, Venkatesh
          Hide
          Permalink
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Hi Venkatesh,
          TokenDateTimeStamp column was missing from Users table on stage. Added Column in users table. Please check now.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Hi Venkatesh, TokenDateTimeStamp column was missing from Users table on stage. Added Column in users table. Please check now.
          Hide
          Permalink
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          I have verified forgot password for Employee login on City of Denton for Hspl company on stage and it is working as per implementation.

          Ready for Production.

          Thanks,
          Venkatesh

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, I have verified forgot password for Employee login on City of Denton for Hspl company on stage and it is working as per implementation. Ready for Production. Thanks, Venkatesh
          Hide
          Permalink
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          Please find my comments below:-
          1] Verify all logins by adding and deleting all role users and verifying their logins.
          2] Verified ADD/Update/Delete for all users.
          3] Verified forgot password with CA,Partner and Employee login.

          Working fine as expected so closing the ticket.

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, Please find my comments below:- 1] Verify all logins by adding and deleting all role users and verifying their logins. 2] Verified ADD/Update/Delete for all users. 3] Verified forgot password with CA,Partner and Employee login. Working fine as expected so closing the ticket.

            People

            Assignee:
            venkatesh.pujari Venkatesh Pujari (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Vikas Pawar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.75h
                0.75h