Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      LB QA - LB Deployed
    • Issue Importance:
      Must Have

      Description

      Impact
      Encrypting passwords is an insecure method of storing passwords. By storing the key to these passwords, WORKTERRA has direct access to user passwords. If a malicious user with elevated access or a malicious employee wanted to view user passwords, that individual could do so by using the encryption key to decrypt passwords. The ability to decrypt passwords adds significant risk to the users of WORKTERRA's application in the event of a data compromise.

      Verification and Attack Information
      Praetorian confirmed that passwords were encrypted using AES-256 through an interview with the application’s developers.

      Recommendation
      Use a Password Based Key Derivation Function (PBKDF) to store hashes of passwords as an alternative to storing in encrypted passwords. Praetorian recommends using one of the following algorithms (in order of preference): Scrypt, Bcrypt, or PBKDF2.

      References
      https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
      https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
      http://codahale.com/how-to-safely-store-a-password/

        Attachments

          Activity

          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Labels Security
          Hide
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Changed existing encryption algorithm to SCrypt hashing algorithm

          Created migration utility to migrate existing passwords.
          Checked in LB.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Changed existing encryption algorithm to SCrypt hashing algorithm Created migration utility to migrate existing passwords. Checked in LB.
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Rakesh Roy [ rakeshr ]
          Hide
          rakeshr Rakesh Roy (Inactive) added a comment -

          Zeeshan Chishty Hrishikesh DeshpandeDeepali Tidke
          Please check the scope of this and plan your testing accordingly.
          For any help approach developer to understand what functionality can be impacted.

          Show
          rakeshr Rakesh Roy (Inactive) added a comment - Zeeshan Chishty Hrishikesh Deshpande Deepali Tidke Please check the scope of this and plan your testing accordingly. For any help approach developer to understand what functionality can be impacted.
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Rakesh Roy [ rakeshr ] Zeeshan Chishty [ zeeshan.chishty ]
          Hide
          rakeshr Rakesh Roy (Inactive) added a comment -

          Vikas Pawar Please do not change status as Local testing before it gets deployed.

          Show
          rakeshr Rakesh Roy (Inactive) added a comment - Vikas Pawar Please do not change status as Local testing before it gets deployed.
          Hide
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Rakesh Roy This change is deployed on LB.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Rakesh Roy This change is deployed on LB.
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          Hi Rakesh,

          As per my understanding we only need to make sure that passwords are now getting stored using scrypt algorithm. We need sample of values of the stored passwords and try to crack them. Please correct me if I am wrong.

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Hi Rakesh, As per my understanding we only need to make sure that passwords are now getting stored using scrypt algorithm. We need sample of values of the stored passwords and try to crack them. Please correct me if I am wrong.
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Deepali Tidke [ deepalit ]
          deepalit Deepali Tidke (Inactive) made changes -
          Assignee Deepali Tidke [ deepalit ] Venkatesh Pujari [ venkatesh.pujari ]
          Hide
          rakeshr Rakesh Roy (Inactive) added a comment -
          Show
          rakeshr Rakesh Roy (Inactive) added a comment - Vikas Pawar Please update Zeeshan's query. Venkatesh Pujari Zeeshan Chishty Vijayendra Shinde
          Hide
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Zeeshan Chishty All the user passwords are stored using Scrypt Algorithm.
          Rakesh Roy Already i had shared password with Zeeshan Chishty.
          Zeeshan Chishty Please provide your updates on this.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Zeeshan Chishty All the user passwords are stored using Scrypt Algorithm. Rakesh Roy Already i had shared password with Zeeshan Chishty . Zeeshan Chishty Please provide your updates on this.
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -

          I tried to decry-pt the password but was not able to do that. We also verified that HASH value generated is different always for the same input..

          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - I tried to decry-pt the password but was not able to do that. We also verified that HASH value generated is different always for the same input..
          Hide
          rakeshr Rakesh Roy (Inactive) added a comment -

          Is this ready for stage deployment, Zeeshan Chishty

          Show
          rakeshr Rakesh Roy (Inactive) added a comment - Is this ready for stage deployment, Zeeshan Chishty
          Hide
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment -
          Show
          Zeeshan.Chishty Zeeshan Chishty (Inactive) added a comment - Rakesh Roy Yes
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Progress(10206) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          rakeshr Rakesh Roy (Inactive) made changes -
          Developer Vikas Pawar [ vikas.pawar ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          Hide
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          Please find my comments below:-
          1] Verify all logins by adding and deleting all role users and verifying their logins.
          2] Verified ADD/Update/Delete for all users.
          3] Verified forgot password with CA,Partner and Employee login and observed that Employee login forgot password is not working as expected.

          Please look into this.

          Thanks,
          Venkatesh

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, Please find my comments below:- 1] Verify all logins by adding and deleting all role users and verifying their logins. 2] Verified ADD/Update/Delete for all users. 3] Verified forgot password with CA,Partner and Employee login and observed that Employee login forgot password is not working as expected. Please look into this. Thanks, Venkatesh
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Stage Testing [ 10201 ] Reopen in Stage [ 10023 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Re-open(10216)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Assignee Venkatesh Pujari [ venkatesh.pujari ] Vikas Pawar [ vikas.pawar ]
          Hide
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Hi Venkatesh Pujari,
          This issue was because of same company was given to multiple databases.
          I have renamed one in-active company name. Now you can test on it.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Hi Venkatesh Pujari , This issue was because of same company was given to multiple databases. I have renamed one in-active company name. Now you can test on it.
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Venkatesh Pujari [ venkatesh.pujari ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Re-open(10216) Parent values: Stage QA(10202)Level 1 values: In Testing(10214)
          Hide
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          I have verified forgot password for Employee login on CST for Hspl company on stage but this is not working as per implementation please look into this and assign this ticket to me once fixed.

          Thanks,
          Venkatesh

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, I have verified forgot password for Employee login on CST for Hspl company on stage but this is not working as per implementation please look into this and assign this ticket to me once fixed. Thanks, Venkatesh
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: In Testing(10214) Parent values: Stage QA(10202)Level 1 values: Re-open(10216)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Assignee Venkatesh Pujari [ venkatesh.pujari ] Vikas Pawar [ vikas.pawar ]
          Hide
          vikas.pawar Vikas Pawar (Inactive) added a comment -

          Hi Venkatesh,
          TokenDateTimeStamp column was missing from Users table on stage. Added Column in users table. Please check now.

          Show
          vikas.pawar Vikas Pawar (Inactive) added a comment - Hi Venkatesh, TokenDateTimeStamp column was missing from Users table on stage. Added Column in users table. Please check now.
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Venkatesh Pujari [ venkatesh.pujari ]
          Hide
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          I have verified forgot password for Employee login on City of Denton for Hspl company on stage and it is working as per implementation.

          Ready for Production.

          Thanks,
          Venkatesh

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, I have verified forgot password for Employee login on City of Denton for Hspl company on stage and it is working as per implementation. Ready for Production. Thanks, Venkatesh
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Reopen in Stage [ 10023 ] In Development [ 10007 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Re-open(10216) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Stage QA(10202)Level 1 values: Production Deployment on Hold(10224)
          satyap Satya made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Production Deployment on Hold(10224) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          Hide
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment -

          Hi Vikas,

          Please find my comments below:-
          1] Verify all logins by adding and deleting all role users and verifying their logins.
          2] Verified ADD/Update/Delete for all users.
          3] Verified forgot password with CA,Partner and Employee login.

          Working fine as expected so closing the ticket.

          Show
          venkatesh.pujari Venkatesh Pujari (Inactive) added a comment - Hi Vikas, Please find my comments below:- 1] Verify all logins by adding and deleting all role users and verifying their logins. 2] Verified ADD/Update/Delete for all users. 3] Verified forgot password with CA,Partner and Employee login. Working fine as expected so closing the ticket.
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Resolution Done [ 10000 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Resolution Done [ 10000 ] Fixed [ 1 ]
          Status Production Complete [ 10028 ] Closed [ 6 ]
          vikas.pawar Vikas Pawar (Inactive) logged work - 12/May/17 12:13 PM
          • Time Spent:
            0.75h
             
            • Tried to find out the root cause of script failure on azure
            • Modified script and committed into UI Refresh, trunk and LB branch
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Remaining Estimate 0h [ 0 ]
          Time Spent 0.75h [ 2700 ]
          Worklog Id 45207 [ 45207 ]
          khandu.kshirsagar Khandu Kshirsagar (Inactive) made changes -
          Item State Parent values: Production Complete(10222)Level 1 values: Closed(10223) Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)
          Transition Time In Source Status Execution Times
          Vijayendra Shinde (Inactive) made transition -
          New Request Pending for Approval
          19s 1
          Vijayendra Shinde (Inactive) made transition -
          Pending for Approval Approved for Development
          2s 1
          Vijayendra Shinde (Inactive) made transition -
          Approved for Development In Development
          4s 1
          Venkatesh Pujari (Inactive) made transition -
          Stage Testing Reopened in Stage
          21h 29m 1
          Venkatesh Pujari (Inactive) made transition -
          Reopened in Stage In Development
          6d 20h 19m 1
          Venkatesh Pujari (Inactive) made transition -
          In Development In LB Testing
          9d 3h 12m 2
          Venkatesh Pujari (Inactive) made transition -
          In LB Testing Pending for Stage Approval
          25d 4h 50m 2
          Venkatesh Pujari (Inactive) made transition -
          Pending for Stage Approval Approved for Stage
          20d 23h 20m 2
          Venkatesh Pujari (Inactive) made transition -
          Approved for Stage Stage Testing
          8s 2
          Venkatesh Pujari (Inactive) made transition -
          Stage Testing Pending for Production Approval
          34d 23h 14m 1
          Venkatesh Pujari (Inactive) made transition -
          Pending for Production Approval Approved for production
          1s 1
          Venkatesh Pujari (Inactive) made transition -
          Approved for production In Production Testing
          2s 1
          Venkatesh Pujari (Inactive) made transition -
          In Production Testing Production Complete
          2d 3h 2m 1
          Venkatesh Pujari (Inactive) made transition -
          Production Complete Closed
          7s 1

            People

            Assignee:
            venkatesh.pujari Venkatesh Pujari (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Vikas Pawar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.75h
                0.75h