Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Done
Priority: High
Fix Version/s: 2017.10, 1.12.0
Affects Version/s: 2015.07, 1.11.0, 2017.08
Component/s: Platform > Repository & Services (Public API impl), Security
Labels:
None

Epic Link:
Hardening security

Description

Currently eZ Publish is only using plain text or MD5 for password hash, this improvement implements the usage of BCRYPT to improve the security of the stored passwords.

It uses PHP's PASSWORD_DEFAULT as default algorithm, meaning that BCRYPT may be replaced by something else in the future.

NB: This expands the password_hash DB column from 50 to 255 characters, to make room for the bigger hash, and future expansions.

Attachments

Issue Links

relates to

EZP-28147 Updated user cannot log in

Closed

testing discovered

EZP-28147 Updated user cannot log in

Closed

EZP-28213 Deprecate insecure hash methods

Documentation Review done

EZP-28214 Password hash silently defaults to MD5

Closed

EZP-28010 Update password hash type to current default when changing the user password

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Pedro Resende (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 30/Aug/15 2:18 AM

Updated:: 28/Feb/19 4:08 PM

Resolved:: 28/Feb/19 4:08 PM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4d 5h 35m