[katello-devel] Password reset to "admin/admin" and hashing

Garik Khachikyan gkhachik at redhat.com
Wed Jun 29 11:30:08 UTC 2011


On 06/29/2011 12:50 PM, Lukas Zapletal wrote:
> Hello,
>
> I have reset the admin password to "admin".
>
> Sony attacks teache the it industry (again) about storing passwords. I 
> have implemented secure storage into Katello today.
>
> Passwords are stored in hashed form only. The hash is calculated from 
> the password itself concatenated with ":" and with 64 long seed string 
> and then hashed 500 times using SHA512 algorighm. The seed string is 
> different for each user.
>
> Each password is stored in the database in the form of concatenated 
> strings hash + salt. Every password is 192 characters long (128 hash, 
> 64 seed).
>
> If passwords are stolen from Katello database attacker needs to spent 
> giant amount of effort to retrieve a single one. Thank to seed string 
> and repetition this will last centuries.
>
> Katello is now safe regarding storing passwords in its database.
>
> Please do # rake setup to reset the password to "admin" now. Thanks.
>
... and on this background:

is not it time to think about changing password (both UI/API options).

For me the admin/admin looks so simple ...
(hope the process itself would not be so time consuming - algorithm above)

Thanks Lukas for detailed description :)
Garik




More information about the katello-devel mailing list