Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Dec 2010 21:09:56 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] GNU Savannah integrates passwdqc

Hi,

After the security compromise that affected several gnu.org services and
websites, GNU Savannah (free software development hosting) introduced
proper password hashing and password/passphrase strength checking using
Openwall's passwdqc (invoking the pwqcheck and pwqgen programs):

http://savannah.gnu.org
http://savannah.gnu.org/maintenance/Compromise2010
http://git.savannah.gnu.org/cgit/savane-cleanup.git/

http://www.openwall.com/passwdqc/
http://www.openwall.com/articles/PHP-Users-Passwords#enforcing-password-policy
http://www.openwall.com/articles/PHP-Users-Passwords#random-passwords

If you maintain an online service with user accounts, you should
probably do the same - preferably before your security compromise occurs.
Here's how to do it:

http://www.openwall.com/articles/PHP-Users-Passwords

and you may refer to the savane-cleanup git repository above for an
example of how they did it.  You may also see this in action on their
new user registration page:

https://savannah.gnu.org/account/register.php

(Note: they use a http://www.cacert.org issued SSL certificate, which
will likely be unrecognized by your web browser by default.  CAcert is
about making verifiable SSL certs freely available, and so is in line
with GNU.  This has nothing to do with password strength checking; it's
just a side note I had to include.)

For proper password hashing, the Savannah Hackers chose to use the
SHA-512-based crypt(3) flavor that is currently included in the official
glibc (with this being the very reason for their choice), accessing it
from PHP scripts.  Thus, they used only some pieces of code from our
phpass password hashing framework, whereas our recommendation for other
projects/websites/services is to use the entire thing:

http://www.openwall.com/phpass/

(It is risky to try to implement things like this entirely on your own.
Most people get it wrong.)

Indeed, lots of other security improvements have been made by the FSF
sysadmins and Savannah Hackers - many of these are described on the
Compromise2010 web page referenced above.  However, this message is
about password security.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ