Project SimpleProject Type: software

Project Simple

Uploaded image for project: 'Project Simple'
  1. Project Simple
  2. ST-201

INSECURE PASSWORD STORAGE

    Details

    • Type: Enhancement
    • Status: Closed
    • Priority: Medium
    • Resolution: Done
    • Component/s: BenAdmin
    • Labels:
    • Module:
      BenAdmin - Security
    • Reported by:
      Support
    • Item State:
      LB QA - LB Deployed
    • Issue Importance:
      Must Have

      Description

      Impact
      Encrypting passwords is an insecure method of storing passwords. By storing the key to these passwords, WORKTERRA has direct access to user passwords. If a malicious user with elevated access or a malicious employee wanted to view user passwords, that individual could do so by using the encryption key to decrypt passwords. The ability to decrypt passwords adds significant risk to the users of WORKTERRA's application in the event of a data compromise.

      Verification and Attack Information
      Praetorian confirmed that passwords were encrypted using AES-256 through an interview with the application’s developers.

      Recommendation
      Use a Password Based Key Derivation Function (PBKDF) to store hashes of passwords as an alternative to storing in encrypted passwords. Praetorian recommends using one of the following algorithms (in order of preference): Scrypt, Bcrypt, or PBKDF2.

      References
      https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
      https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
      http://codahale.com/how-to-safely-store-a-password/

        Attachments

          Activity

          Ascending order - Click to sort in descending order
          vijayendra Vijayendra Shinde (Inactive) created issue -
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Field Original Value New Value
          Status New Request [ 10029 ] Pending for Approval [ 10002 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Pending for Approval [ 10002 ] Approved for Development [ 10003 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Status Approved for Development [ 10003 ] In Development [ 10007 ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ]
          vijayendra Vijayendra Shinde (Inactive) made changes -
          Labels Security
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Rakesh Roy [ rakeshr ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Assignee Rakesh Roy [ rakeshr ] Zeeshan Chishty [ zeeshan.chishty ]
          Zeeshan.Chishty Zeeshan Chishty (Inactive) made changes -
          Assignee Zeeshan Chishty [ zeeshan.chishty ] Deepali Tidke [ deepalit ]
          deepalit Deepali Tidke (Inactive) made changes -
          Assignee Deepali Tidke [ deepalit ] Venkatesh Pujari [ venkatesh.pujari ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Development(10200)Level 1 values: In Progress(10206) Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213)
          rakeshr Rakesh Roy (Inactive) made changes -
          Developer Vikas Pawar [ vikas.pawar ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: LB QA(10201)Level 1 values: Ready for Stage(10213) Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602)
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          rakeshr Rakesh Roy (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Stage Testing [ 10201 ] Reopen in Stage [ 10023 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Stage Deployed(11602) Parent values: Stage QA(10202)Level 1 values: Re-open(10216)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Assignee Venkatesh Pujari [ venkatesh.pujari ] Vikas Pawar [ vikas.pawar ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Venkatesh Pujari [ venkatesh.pujari ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Re-open(10216) Parent values: Stage QA(10202)Level 1 values: In Testing(10214)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: In Testing(10214) Parent values: Stage QA(10202)Level 1 values: Re-open(10216)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Assignee Venkatesh Pujari [ venkatesh.pujari ] Vikas Pawar [ vikas.pawar ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Assignee Vikas Pawar [ vikas.pawar ] Venkatesh Pujari [ venkatesh.pujari ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Reopen in Stage [ 10023 ] In Development [ 10007 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status In Development [ 10007 ] Local Testing [ 10200 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Local Testing [ 10200 ] Pending for Stage Approval [ 10300 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Pending for Stage Approval [ 10300 ] Approved for Stage [ 10030 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Approved for Stage [ 10030 ] Stage Testing [ 10201 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Re-open(10216) Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217)
          rakeshr Rakesh Roy (Inactive) made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Ready for Production(10217) Parent values: Stage QA(10202)Level 1 values: Production Deployment on Hold(10224)
          satyap Satya made changes -
          Item State Parent values: Stage QA(10202)Level 1 values: Production Deployment on Hold(10224) Parent values: Production QA(10203)Level 1 values: Production Deployed(10221)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Stage Testing [ 10201 ] Pending for Production Approval [ 10301 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Pending for Production Approval [ 10301 ] Approved for production [ 10034 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Status Approved for production [ 10034 ] Production Testing [ 10202 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Resolution Done [ 10000 ]
          Status Production Testing [ 10202 ] Production Complete [ 10028 ]
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Item State Parent values: Production QA(10203)Level 1 values: Production Deployed(10221) Parent values: Production Complete(10222)Level 1 values: Closed(10223)
          venkatesh.pujari Venkatesh Pujari (Inactive) made changes -
          Resolution Done [ 10000 ] Fixed [ 1 ]
          Status Production Complete [ 10028 ] Closed [ 6 ]
          vikas.pawar Vikas Pawar (Inactive) made changes -
          Remaining Estimate 0h [ 0 ]
          Time Spent 0.75h [ 2700 ]
          Worklog Id 45207 [ 45207 ]
          khandu.kshirsagar Khandu Kshirsagar (Inactive) made changes -
          Item State Parent values: Production Complete(10222)Level 1 values: Closed(10223) Parent values: LB QA(10201)Level 1 values: LB Deployed(11600)

            People

            Assignee:
            venkatesh.pujari Venkatesh Pujari (Inactive)
            Reporter:
            vijayendra Vijayendra Shinde (Inactive)
            Developer:
            Vikas Pawar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 0.75h
                0.75h