Medium Impact
Encrypting passwords is an insecure method of storing passwords. By storing the key to these passwords, WORKTERRA has direct access to user passwords. If a malicious user with elevated access or a malicious employee wanted to view user passwords, that individual could do so by using the encryption key to decrypt passwords. The ability to decrypt passwords adds significant risk to the users of WORKTERRA's application in the event of a data compromise.
Verification and Attack Information
Praetorian confirmed that passwords were encrypted using AES-256 through an interview with the application’s developers.
Recommendation
Use a Password Based Key Derivation Function (PBKDF) to store hashes of passwords as an alternative to storing in encrypted passwords. Praetorian recommends using one of the following algorithms (in order of preference): Scrypt, Bcrypt, or PBKDF2.
References
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/
http://codahale.com/how-to-safely-store-a-password/
Zeeshan Chishty Hrishikesh DeshpandeDeepali Tidke
Please check the scope of this and plan your testing accordingly.
For any help approach developer to understand what functionality can be impacted.
Vikas Pawar Please do not change status as Local testing before it gets deployed.
Rakesh Roy This change is deployed on LB.
Hi Rakesh,
As per my understanding we only need to make sure that passwords are now getting stored using scrypt algorithm. We need sample of values of the stored passwords and try to crack them. Please correct me if I am wrong.
Zeeshan Chishty (Inactive)
added a comment - Hi Rakesh,
As per my understanding we only need to make sure that passwords are now getting stored using scrypt algorithm. We need sample of values of the stored passwords and try to crack them. Please correct me if I am wrong. Vikas Pawar Please update Zeeshan's query.
Venkatesh PujariZeeshan ChishtyVijayendra Shinde
Zeeshan Chishty All the user passwords are stored using Scrypt Algorithm.
Rakesh Roy Already i had shared password with Zeeshan Chishty.
Zeeshan Chishty Please provide your updates on this.
I tried to decry-pt the password but was not able to do that. We also verified that HASH value generated is different always for the same input..
Zeeshan Chishty (Inactive)
added a comment - I tried to decry-pt the password but was not able to do that. We also verified that HASH value generated is different always for the same input.. Is this ready for stage deployment, Zeeshan Chishty
Rakesh Roy Yes
Zeeshan Chishty (Inactive)
added a comment - Rakesh Roy Yes Hi Vikas,
Please find my comments below:-
1] Verify all logins by adding and deleting all role users and verifying their logins.
2] Verified ADD/Update/Delete for all users.
3] Verified forgot password with CA,Partner and Employee login and observed that Employee login forgot password is not working as expected.
Please look into this.
Thanks,
Venkatesh
Hi Venkatesh Pujari,
This issue was because of same company was given to multiple databases.
I have renamed one in-active company name. Now you can test on it.
Hi Vikas,
I have verified forgot password for Employee login on CST for Hspl company on stage but this is not working as per implementation please look into this and assign this ticket to me once fixed.
Thanks,
Venkatesh
Hi Venkatesh,
TokenDateTimeStamp column was missing from Users table on stage. Added Column in users table. Please check now.
Hi Vikas,
I have verified forgot password for Employee login on City of Denton for Hspl company on stage and it is working as per implementation.
Ready for Production.
Thanks,
Venkatesh
Hi Vikas,
Please find my comments below:-
1] Verify all logins by adding and deleting all role users and verifying their logins.
2] Verified ADD/Update/Delete for all users.
3] Verified forgot password with CA,Partner and Employee login.
Working fine as expected so closing the ticket.
Changed existing encryption algorithm to SCrypt hashing algorithm
Created migration utility to migrate existing passwords.
Checked in LB.