Encryption, Hashing. A jedi craves not these things.

My current employer uses the open source project called openreports to host our internal reports. We noticed fairly quickly that it was storing the user account passwords in plain text in the database and I was tasked with fixing this.

So the first thing I did was check the docs and noticed some optional steps for encrypting the passwords in the database. I noticed that there wasn’t a way to set an encryption key however.  I was hoping  that maybe they mean they hash the pw then a key wouldn’t be needed but I’ve worked with openreports enough to fear otherwise.

I started digging through the source code and still didn’t see anyway to set set the key. So I ended up finding the code that transforms the password and was shocked by what I saw:

BCodec bCodec = new BCodec();
return bCodec.encode(password);

org.apache.commons.codec.net.BCodec is a base 64 encoding class. My rage on seeing this was indescribable. The worst part was that I couldn’t even salvage this code because it required the ability to “decode” and since I decided to use a salted sha256 hash there was no way to “decode” that at all.

TL:DR Base 64 encoding is not encryption or hashing.

2 Responses to “Encryption, Hashing. A jedi craves not these things.”

  1. Alex Skorulis Says:

    I think it’s amazing how many developers don’t seem to understand the concept of password hashing considering in it’s simplest form you can do it in 10 lines of code. But then I guess companies wouldn’t be able email users their passwords when they forget them *cringe*

  2. Patrick Simpson Says:

    A company I worked for a long, long time ago did something onyl slightly more secure. They had to encrypt some data that was stored in config files, but had no mechanism to deal with keys, so they generated a random key and stored it together with the encrypted data. Sigh.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: