diff options
author | Yorhel <git@yorhel.nl> | 2015-11-01 10:37:56 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2015-11-01 10:38:43 +0100 |
commit | 3de8d24697511fe324cae2526eb65d6aafb5968b (patch) | |
tree | b34f6a3b91352d9f753d9d3e3ae0e1a93acc758c /lib/VNDB/Util | |
parent | 4b1807a58912ff0b4542063071e072ccf53fd1bd (diff) |
Removed support for sha256-hashed passwords
They had to be deleted from the database at some point, otherwise we
still have thousands of easily-cracked password hashes in the database.
Note that I could have opted to use scrypt on top of the sha256 hashes
so the passwords would remain secure without needing to reset
everything, but doing that after one year of switching to scrypt is
likely not worth it. Everyone who still actively uses his account has
already been converted to scrypt, everyone else should just reset their
password whevener they decide to come back.
Diffstat (limited to 'lib/VNDB/Util')
-rw-r--r-- | lib/VNDB/Util/Auth.pm | 23 |
1 files changed, 2 insertions, 21 deletions
diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm index a1c6cf08..0c3b5b73 100644 --- a/lib/VNDB/Util/Auth.pm +++ b/lib/VNDB/Util/Auth.pm @@ -5,7 +5,7 @@ package VNDB::Util::Auth; use strict; use warnings; use Exporter 'import'; -use Digest::SHA qw|sha1 sha1_hex sha256|; +use Digest::SHA qw|sha1 sha1_hex|; use Crypt::URandom 'urandom'; use Crypt::ScryptKDF 'scrypt_raw'; use Encode 'encode_utf8'; @@ -112,16 +112,7 @@ sub _authCheck { my $d = $self->dbUserGet(username => $user, what => 'extended notifycount')->[0]; return 0 if !$d->{id}; - # Old-style hashes - if(length $d->{passwd} == 41) { - return 0 if _authPreparePassSha256($self, $pass, substr $d->{passwd}, 0, 9) ne $d->{passwd}; - $self->{_auth} = $d; - # Update database with new hash format, now that we have the plain text password - $self->dbUserEdit($d->{id}, passwd => $self->authPreparePass($pass)); - return 1; - } - - # New scrypt hashes + # scrypt format if(length $d->{passwd} == 46) { my($N, $r, $p, $salt) = unpack 'NCCa8', $d->{passwd}; return 0 if $self->authPreparePass($pass, $salt, $N, $r, $p) ne $d->{passwd}; @@ -144,16 +135,6 @@ sub authPreparePass { } -# Same as authPreparePass, but for the old sha256 hash. -# Arguments: pass, optionally salt -# Returns: encrypted password (as a binary string) -sub _authPreparePassSha256 { - my($self, $pass, $salt) = @_; - $salt ||= encode_utf8(randomascii(9)); - return $salt.sha256($self->{global_salt} . encode_utf8($pass) . $salt); -} - - # Generates a random token that can be used to reset the password. # Returns: token (hex string), token-encrypted (binary string) sub authPrepareReset { |