[katello-devel] Password reset to "admin/admin" and hashing
Garik Khachikyan
gkhachik at redhat.com
Wed Jun 29 11:30:08 UTC 2011
On 06/29/2011 12:50 PM, Lukas Zapletal wrote:
> Hello,
>
> I have reset the admin password to "admin".
>
> Sony attacks teache the it industry (again) about storing passwords. I
> have implemented secure storage into Katello today.
>
> Passwords are stored in hashed form only. The hash is calculated from
> the password itself concatenated with ":" and with 64 long seed string
> and then hashed 500 times using SHA512 algorighm. The seed string is
> different for each user.
>
> Each password is stored in the database in the form of concatenated
> strings hash + salt. Every password is 192 characters long (128 hash,
> 64 seed).
>
> If passwords are stolen from Katello database attacker needs to spent
> giant amount of effort to retrieve a single one. Thank to seed string
> and repetition this will last centuries.
>
> Katello is now safe regarding storing passwords in its database.
>
> Please do # rake setup to reset the password to "admin" now. Thanks.
>
... and on this background:
is not it time to think about changing password (both UI/API options).
For me the admin/admin looks so simple ...
(hope the process itself would not be so time consuming - algorithm above)
Thanks Lukas for detailed description :)
Garik
More information about the katello-devel
mailing list