brodock wrote:Acccounts shouldn't store password in plain text. Never.
Collabtive does not store, and has never stored, account passwords in plaintext.
Please note that until this is done, Collabtive can be considered to have a major security flaw, as, if security is compromised, then every person password can be recovered, and this is really a bad thing.
Rubbish. The mentioned article talks about the fact that when you use MD5 to hash passwords this can not be considered "safe" until you use a salt.
The thing is that , indeed, MD5 was broken several years ago - and it isn't hard to calculate collisions.
From the article:
Hashed passwords are generally looked at as the solution to this problem. No passwords are stored in plain-text, and it’s hard to guess a password that’ll match a certain hash so even if the password database is compromised or snooped you don’t need to worry too much.
That may have been true, but hashes for many common words, passwords and passphrases have already been calculated. Translating from those hashes back to a password that’ll match is trivial. Remember, since the original password isn’t stored, all you need to do is match the hash – the actual input doesn’t matter.
How easy is it to break into an account that’s protected by an MD5 hashed password? Let’s say we had attacked a site and found the following table of usernames and passwords:
Collabtive, by contrast does not use MD5 to hash passwords. It uses SHA1. SHA1 has, up to today, not been compromised by a practical attack.
I agree that using a salt helps to strengthen weak password input by the user. But in the end - weak passwords are a problem of garbage in - garbage out.
I strongly disagree that using SHA1 without a salt can be considered "a major security flaw".
I even more strongly disagree with the assertion that " if security is compromised, then every person password can be recovered, and this is really a bad thing."
Because it simply is not true. If you compromise the DB Collabtive is running on, you get access to all the SHA1 hashes of the users passwords. This does not mean that the plaintext can be recovered easily.
I get the impression that you don't really know what you are talking about, since you haven't even taken the time to check which method Collabtive really uses and instead simply assert that "passwords are stored in plaintext".
Or that there "is a major security flaw"- because you read something along those lines somewhere. Please get a clue.