Switched to PBKDF2 password hash

db_structure.sql

@@ -60,10 +60,11 @@ CREATE TABLE `User` (
   `name` varchar(40) NOT NULL,
   `email` varchar(50) DEFAULT NULL,
   `emailVerified` tinyint(1) NOT NULL,
-  `password` varchar(32) DEFAULT NULL,
+  `passwordHash` varchar(64) DEFAULT NULL,
+  `passwordSalt` varchar(5) DEFAULT NULL,
   `ipHost` varchar(20) DEFAULT NULL,
   `loginDate` datetime DEFAULT NULL,
-  `sessionHash` varchar(32) DEFAULT NULL,
+  `cookieHash` varchar(32) DEFAULT NULL,
   `superUser` tinyint(1) NOT NULL,
   `enabled` tinyint(1) NOT NULL
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
@@ -72,8 +73,8 @@ CREATE TABLE `User` (
 -- Dumping data for table `User`
 --
 
-INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES
-(1, 'Admin Admin', 'admin@example.com', 1, '', NULL, '', '', '1970-01-01 01:00:0', '', 1, 1);
+INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES
+(1, 'Admin Admin', 'admin', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '', '1970-01-01 01:00:0', '', 1, 1);
 
 -- --------------------------------------------------------
 
@@ -120,8 +121,7 @@ ALTER TABLE `Image`
 ALTER TABLE `User`
   ADD PRIMARY KEY (`id`),
   ADD KEY `email` (`email`),
-  ADD KEY `sessionHash` (`sessionHash`),
-  ADD KEY `facebookUid` (`facebookUid`);
+  ADD KEY `cookieHash` (`cookieHash`);
 
 --
 -- Indexes for table `Video`

db_test_data.sql

@@ -1640,18 +1640,18 @@ INSERT INTO `Image` (`id`, `folder`, `filename`, `user`, `title`, `description`,
 -- Dumping data for table `User`
 --
 
-INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `password`, `facebookUid`, `sessionId`, `ipHost`, `loginDate`, `sessionHash`, `superUser`, `enabled`) VALUES
-(6, 'User 01', 'test@koc.se', 1, '6b8186c16808026b6f1dc60b148ced42', NULL, '95784E87A1640E85C37D7F1639E5F78C', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1),
-(23, 'User 02', 'test@example.com', 1, '4580389f38088ec92c5eae50d9a2403b', NULL, '73522EA6720A8B612DB183016D1AB718', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1),
-(25, 'User 03', 'test@example.com', 1, NULL, NULL, '6B8A79652F84DF3CCA7381D693478FD1', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1),
-(27, 'User 05', 'test@example.com', 1, '20cca4a3c87f8b8ffaa9e1754cee8bdf', NULL, 'F186D18D72B80EE5A7C15F2BF2ED144D', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1),
-(28, 'User 06', 'test@example.com', 1, 'c2087d8beea7df99d23292a0f805e34e', NULL, '3BA5AB8B39C12EA6F7D86529F189180B', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1),
-(29, 'User 07', 'test@example.com', 1, 'f88910b4a83f7d074889aa02982e1eab', NULL, '402511A763FF4872B8D886C658C6EEFB', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1),
-(30, 'User 08', 'test@example.com', 1, '709e024ac8980bca06c0ec32ddcc1870', NULL, '48B523CD2A5B3F4185B756102448A9D4', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1),
-(33, 'User 09', 'test@example.com', 1, '755134b80c4f2f809314999da089742e', NULL, '730149420D78026FBC3DF33303CFD637', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1),
-(35, 'User 10', 'test@example.com', 1, '6e010025868ff207d098954324849e89', NULL, '6017712D1C325EEC1F3AFB693A93ED31', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1),
-(36, 'User 11', 'test@example.com', 1, '25d55ad283aa400af464c76d713c07ad', NULL, '70489CE7358FDFD6279D70EF20916FE6', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1),
-(37, 'User 12', 'test@example.com', 0, '8cd18c951d9964343131aeb65b1dfaca', NULL, 'C38C6D0D49AFF8E625AFE4E726BAF5CE', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1),
-(43, 'User 13', 'test@example.com', 0, '465860201c448343cf8a146bdd6868dd', NULL, 'A0DC6C15A921B653059D42BCD3F5EEBF', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1);
+INSERT INTO `User` (`id`, `name`, `email`, `emailVerified`, `passwordHash`, `passwordSalt`, `ipHost`, `loginDate`, `cookieHash`, `superUser`, `enabled`) VALUES
+(6,  'User 01', 'test@koc.se',      1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '192.176.1.81', '2017-11-29 16:38:50', 'a0e09c1108fc5b004fcef94c6e0bb542', 1, 1),
+(23, 'User 02', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.201.37', '2017-10-23 16:38:25', '0ea7b083e0ac6db2b07d907913e190fd', 0, 1),
+(25, 'User 03', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2011-09-30 09:33:12', '62a29eab987b7a3953111cb602766f09', 0, 1),
+(27, 'User 05', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '86.84.84.192', '2017-09-17 14:32:29', 'be3286ac15e5c93f6104642fb50c23ff', 0, 1),
+(28, 'User 06', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-05-09 15:43:13', '1e74987a3d3ccc1dfdce1bb35c95dbee', 0, 1),
+(29, 'User 07', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-10-31 18:52:15', '859f403053d7925731f611e5f8a1534b', 0, 1),
+(30, 'User 08', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-08-02 12:30:52', 'c2af6f2e738b67d5422e99f4ee6322cf', 0, 1),
+(33, 'User 09', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2012-11-20 20:56:22', 'e264557b8ee2dc6cb30686b1e4b49545', 0, 1),
+(35, 'User 10', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'www.koc.se', '2014-09-18 21:17:25', '152d20d7d48df05bafef1fe32023d085', 0, 1),
+(36, 'User 11', 'test@example.com', 1, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2013-09-04 23:35:59', '0929202e64e78bab7d787873723ec979', 0, 1),
+(37, 'User 12', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', 'koc.se', '2015-01-09 15:34:36', '6c74b9abd564b34313af7c5161557a80', 0, 1),
+(43, 'User 13', 'test@example.com', 0, '6e88be8bad7eae9d9e10aa061224034fed48d03fcbad968b56006784539d5214', 'salt', '91.7.239.138', '2017-08-01 23:48:15', '20a8626ffec27e2f90dc4bbaace4f995', 0, 1);
 
 -- --------------------------------------------------------

src/zall/action/user/ModifyUserStatusAction.java

@@ -37,10 +37,10 @@ public class ModifyUserStatusAction extends ZalleryAction {
             if (request.getParameter("email") != null)
                 target_user.setEmail(request.getParameter("email"));
             if (request.getParameter("password") != null) {
-                if (target_user.getPassword() == null)
+                if (target_user.getPasswordHash() == null)
                     target_user.setPassword(request.getParameter("password"));
                 else if (request.getParameter("oldPassword") != null)
-                    if (target_user.getPassword().equals(request.getParameter("oldPassword")))
+                    if (target_user.getPasswordHash().equals(request.getParameter("oldPassword")))
                         target_user.setPassword(request.getParameter("password"));
                     else {
                         msgs.add(new UserMessage(MessageLevel.ERROR, "Wrong password!"));

src/zall/bean/User.java

@@ -20,7 +20,8 @@ public class User extends DBBean {
     protected String name;
     protected String email;
     protected boolean emailVerified;
-    protected String password;
+    protected String passwordHash;
+    protected String passwordSalt;
     // Date
     protected Timestamp loginDate;
     // security
@@ -89,7 +90,7 @@ public class User extends DBBean {
     }
 
     public String generateEmailVerificationHash() {
-        return Hasher.MD5("##helloWorld-->2011" + email + name + password);
+        return Hasher.MD5("##helloWorld-->2011" + email + name + passwordHash);
     }
 
 
@@ -138,12 +139,17 @@ public class User extends DBBean {
         this.emailVerified = verified;
     }
 
-    public String getPassword() {
-        return password;
+    public String getPasswordHash() {
+        return passwordHash;
     }
 
     public void setPassword(String password) {
-        this.password = Hasher.MD5(password);
+        String newPasswordSalt = Hasher.SHA1(Math.random()).substring(0, 5);
+        String newPasswordHash = Hasher.PBKDF2(password, newPasswordSalt, 1000);
+
+        // We wait with setting the actual fields if there is an exception
+        this.passwordSalt = newPasswordSalt;
+        this.passwordHash = newPasswordHash;
     }
 
     public String getCookieHash() {

src/zall/manager/AuthenticationManager.java

@@ -35,7 +35,7 @@ public class AuthenticationManager {
 
         // Valid email?
         if( user != null ){
-            if (user.getPassword().equals(Hasher.MD5(password))) {
+            if (user.getPasswordHash().equals(Hasher.MD5(password))) {
                 setUserAuthenticated(db, user, User.AuthType.USER_INPUT, request, response);
                 return user;
             } else {