Activities

May 12
André Bunse replied to lsli lsli's message board post, RE: Force password change upon next user login, in Liferay.com.
3:00 AM Go to Category
May 11
lsli lsli wrote a new message board post, Force password change upon next user login, in Liferay.com.
1:23 PM Go to Category
January 21
2:10 PM Go to Category
December 30
lsli lsli commented on LPS-30180.
11:45 AM Hopefully, this can be done for CE as well. But this is a very important feature request that I would need, too (see https://www.liferay.com/community/forums/-/message_boards/message/14287120) and not just for SHA-1 -> BCRYPT, but also other hashing algorithms, e.g. SHA-1 -> SHA-384, SHA-256 -> SHA-3, etc. Also, this has to be somewhat critical because of the unsafe nature of SHA-1 - and also to future-proof other Liferay versions as certain hashing algorithms are shown to be vulnerable. My suggestion would be to add another column in the User_ table that keeps track of the hashing/encryption algorithm used for the particular user, e.g. hash_alg. Every time Liferay starts up and it notices the value in the column is null for any User_ record, it uses the current property value of the passwords.encryption.algorithm key in the portal.properties file. This would be done when this fix is put into Liferay. The hash_alg value can then be used for that particular user when he or she logs in - Liferay would then use that particular hashing algorithm to hash the clear password. The code would also check every time the user logs in and see if the current property value of the key passwords.encryption.algorithm is different from the current hashing algorithm indicated by the user (in the hash_alg column). If it is, Liferay hashes/encrypts the clear password with the current hashing algorithm indicated in the portal.properties' passwords.encryption.algorithm value, then overwrites both the hash_alg and password_ field values. What this accomplishes is a smooth transition from one hashing algorithm to another - without having the user know - i.e. without any user interaction. Another possible feature is for those users that have already had their passwords hashed with SHA1 - that there would be a feature requiring users to reset their passwords. In the meantime, their current passwords would be cleared from the database (i.e. the password_ column) as a security measure. Thus, on their attempted login, an email (using their account email address) would ask them to reset their password using a link. Again, this would just be an additional security measure - and would be an option for the administrator to invoke if the hashing algorithm changed. I know this can probably accomplished using some custom code (Expando and perhaps some other coding changes) as a custom fix, but it would be nice if Liferay can institutionalize this fix for everyone. And because of the possible future security issues with any hashing algorithm used, I believe this is a critical and necessary feature request. Remember how LinkedIn had this password hash issue?: http://www.computerworld.com/s/article/9227869/Hackers_crack_more_than_60_of_breached_LinkedIn_passwords Another suggestion is that Liferay default the hashing algorithm to something stronger than SHA-1 in the portal.properties file. For Liferay novices (a few years ago) who didn't pick up on this particular property, it would be nice to protect novice Liferay users/administrators.
August 28
7:39 AM Go to Category
May 6
lsli lsli commented on LPS-12222.
lsli lsli commented on LPS-12129.
May 5
lsli lsli replied to lsli lsli's message board post, RE: MySQL/Scheduler Issue, in Liferay.com.
11:41 PM Go to Category
lsli lsli wrote a new message board post, MySQL/Scheduler Issue, in Liferay.com.
1:20 AM Go to Category
January 21
9:28 AM Go to Category
Subscribe to lsli lsli's activities. (Opens New Window)