Switched to PBKDF2 password hash

2018-08-08 19:54:31 +02:00 · 2018-08-08 19:54:31 +02:00 · cbf6ef31f2
commit cbf6ef31f2
parent f339582025
5 changed files with 33 additions and 27 deletions
--- a/src/zall/action/user/ModifyUserStatusAction.java
+++ b/src/zall/action/user/ModifyUserStatusAction.java
@ -37,10 +37,10 @@ public class ModifyUserStatusAction extends ZalleryAction {
            if (request.getParameter("email") != null)
                target_user.setEmail(request.getParameter("email"));
            if (request.getParameter("password") != null) {
-                if (target_user.getPassword() == null)
+                if (target_user.getPasswordHash() == null)
                    target_user.setPassword(request.getParameter("password"));
                else if (request.getParameter("oldPassword") != null)
-                    if (target_user.getPassword().equals(request.getParameter("oldPassword")))
+                    if (target_user.getPasswordHash().equals(request.getParameter("oldPassword")))
                        target_user.setPassword(request.getParameter("password"));
                    else {
                        msgs.add(new UserMessage(MessageLevel.ERROR, "Wrong password!"));
--- a/src/zall/bean/User.java
+++ b/src/zall/bean/User.java
@ -20,7 +20,8 @@ public class User extends DBBean {
    protected String name;
    protected String email;
    protected boolean emailVerified;
-    protected String password;
+    protected String passwordHash;
+    protected String passwordSalt;
    // Date
    protected Timestamp loginDate;
    // security
@ -89,7 +90,7 @@ public class User extends DBBean {
    }

    public String generateEmailVerificationHash() {
-        return Hasher.MD5("##helloWorld-->2011" + email + name + password);
+        return Hasher.MD5("##helloWorld-->2011" + email + name + passwordHash);
    }


@ -138,12 +139,17 @@ public class User extends DBBean {
        this.emailVerified = verified;
    }

-    public String getPassword() {
-        return password;
+    public String getPasswordHash() {
+        return passwordHash;
    }

    public void setPassword(String password) {
-        this.password = Hasher.MD5(password);
+        String newPasswordSalt = Hasher.SHA1(Math.random()).substring(0, 5);
+        String newPasswordHash = Hasher.PBKDF2(password, newPasswordSalt, 1000);
+
+        // We wait with setting the actual fields if there is an exception
+        this.passwordSalt = newPasswordSalt;
+        this.passwordHash = newPasswordHash;
    }

    public String getCookieHash() {
--- a/src/zall/manager/AuthenticationManager.java
+++ b/src/zall/manager/AuthenticationManager.java
@ -35,7 +35,7 @@ public class AuthenticationManager {

        // Valid email?
        if( user != null ){
-            if (user.getPassword().equals(Hasher.MD5(password))) {
+            if (user.getPasswordHash().equals(Hasher.MD5(password))) {
                setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
                return user;
            } else {