[Seaside] PBKDF2-HMAC-SHA1 password hashing for TF-Login
Pierce Ng
pierce at samadhiweb.com
Sun Nov 17 02:30:13 UTC 2019
Hi all,
I've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to
replace the existing simple and insecure SHA1-based password hashing
scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside."
Metacello new
baseline: 'Seaside3';
repository: 'github://SeasideSt/Seaside:v3.3.3/repository';
load.
"Then load TF-Login."
Metacello new
baseline: 'TFLogin';
repository: 'github://PierceNg/TF-Login:password/src';
load.
As originally implemented, TF-Login also supports cookie-based auto-login,
which works by storing username and the SHA1-hashed password in client
cookies. This scheme is certainly not secure by current standards and can't
be used together with PBKDF2-HMAC-SHA1 password hashing.
Possible future work on TF-Login password management:
- OAuth2, to replace the existing insecure cookie-based auto-login
- 2FA
Pierce
More information about the seaside
mailing list