My current employer uses the open source project called openreports to host our internal reports. We noticed fairly quickly that it was storing the user account passwords in plain text in the database and I was tasked with fixing this.
So the first thing I did was check the docs and noticed some optional steps for encrypting the passwords in the database. I noticed that there wasn’t a way to set an encryption key however. I was hoping that maybe they mean they hash the pw then a key wouldn’t be needed but I’ve worked with openreports enough to fear otherwise.
I started digging through the source code and still didn’t see anyway to set set the key. So I ended up finding the code that transforms the password and was shocked by what I saw:
BCodec bCodec = new BCodec();
return bCodec.encode(password);
org.apache.commons.codec.net.BCodec is a base 64 encoding class. My rage on seeing this was indescribable. The worst part was that I couldn’t even salvage this code because it required the ability to “decode” and since I decided to use a salted sha256 hash there was no way to “decode” that at all.
TL:DR Base 64 encoding is not encryption or hashing.
Nick Giduci 
June 2, 2011 at 7:22 pm |
I think it’s amazing how many developers don’t seem to understand the concept of password hashing considering in it’s simplest form you can do it in 10 lines of code. But then I guess companies wouldn’t be able email users their passwords when they forget them *cringe*
June 8, 2011 at 5:14 am |
A company I worked for a long, long time ago did something onyl slightly more secure. They had to encrypt some data that was stored in config files, but had no mechanism to deal with keys, so they generated a random key and stored it together with the encrypted data. Sigh.