Skip to content
This repository has been archived by the owner on Nov 2, 2019. It is now read-only.

MD5 password encryption is insecure #3

Open
junhoyeo opened this issue Jan 5, 2019 · 1 comment
Open

MD5 password encryption is insecure #3

junhoyeo opened this issue Jan 5, 2019 · 1 comment
Labels
enhancement New feature or request

Comments

@junhoyeo
Copy link
Contributor

junhoyeo commented Jan 5, 2019

https://github.com/CIVAR-DIMIGO/Dimiwords/blob/master/Server/routes/auth/login.js

제보자: 김동영, 김진서

var password = crypto.createHash('md5').update(req.body.password, 'utf8').digest('hex')

사용자 패스워드가 MD5로 해싱되어 저장된다.

취약한 이유

솔루션

  • 패스워드 암호화 방식을 bcrypt, scrypt 등으로 변경한다.
  • MD5로 해싱된 패스워드를 보유한 기존 유저의 경우 다음 로그인 시 비밀번호 재입력 및 변경 절차를 거친 뒤 서비스를 이용할 수 있게 한다.
@junhoyeo junhoyeo self-assigned this Jan 5, 2019
@junhoyeo junhoyeo added the enhancement New feature or request label Jan 5, 2019
@junhoyeo junhoyeo removed their assignment Jan 6, 2019
@junhoyeo
Copy link
Contributor Author

junhoyeo commented Jan 6, 2019

현재 scrypt 적용을 고려하고 있다.

@junhoyeo junhoyeo added invalid This doesn't seem right and removed invalid This doesn't seem right labels Mar 17, 2019
@junhoyeo junhoyeo mentioned this issue Mar 18, 2019
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@junhoyeo