Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passwords not hashed or encrypted #1975

Closed
kurtcoke opened this issue Aug 25, 2014 · 8 comments
Closed

Passwords not hashed or encrypted #1975

kurtcoke opened this issue Aug 25, 2014 · 8 comments

Comments

@kurtcoke
Copy link

This has been an issue on OpenERP but also exists on Odoo:

See for yourself. In this example the database named: somedb has user admin with password admin. Login to postgres commandline:

# \c somedb

somdb=# select LOGIN , password from res_users where id =1 ;
 login | password 
-------+----------
 admin | admin
@xmo-odoo
Copy link
Collaborator

That's what the auth_crypt module is for.

@alejandrosantana
Copy link

For password encryption there is a module named auth_crypt: https://www.odoo.com/apps/trunk/auth_crypt/
Thus, password encryption is optional. Plain text passwords "might" be useful in development, as people from odoo say.

@kurtcoke
Copy link
Author

"Plain text passwords "might" be useful in development, as people from odoo say."
That is a rather ridiculous claim. It is a ridiculous idea to have users install a module to be able to hash passwords as opposed to enforcing this by default.

@alejandrosantana
Copy link

Yes, I also believe the default behaviour should be encrypted, with optional module to make it clear text (for development purposes, may be?). But the current situation is the described one.
So don't forget to use auth_crypt.

@kurtcoke
Copy link
Author

Oh yeah the example I gave was just for the admin user. You can also ofcourse do this:
somedb# select LOGIN , password from res_users;

@kurtcoke
Copy link
Author

Why has this issue been closed? Has their been a fix to the problem?

@falconmick
Copy link

They shouldn't be encrypted, they should be hashed (encryption = atleast 1:1 ratio of password length the encrypted output length and is reversible, hashing will result in a fixed lenght and non reversible)

@xmo-odoo please explain to me how knowing passwords in development is of any use to a developer.

You should make it as easy as possible for people to succeed with your project, makign it so they need to remember to add security before pushing is just asking for cofiguration errors (people forgetting to add). Also, allot of people just don't understand password security.. So they won't ever get rid of plain text... Make it easy for people to succeed, hard to fail.

@xmo-odoo
Copy link
Collaborator

xmo-odoo commented Oct 1, 2014

@kurtcoke

Why has this issue been closed? Has their been a fix to the problem?

The fix was always there (install auth_crypt), auth_crypt is automatically installed in v8 (since 5388eee)

@falconmick

They shouldn't be encrypted, they should be hashed

Cryptographic hashing is a subset of encryption, so are KDFs. In Odoo 8, auth_crypt defaults to pbkdf2_sha512 via passlib and this can be overridden with a different KDF if desired or necessary.

As far as I know it has never used a reversible encryption scheme, although it has historically used a weak KDF (md5crypt).

please explain to me how knowing passwords in development is of any use to a developer.

Why would I explain a position I never held?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@falconmick @kurtcoke @alejandrosantana @xmo-odoo