Forum OpenACS Q&A: Re: Usage of SHA-1 in OpenACS

Posted by Gustaf Neumann on
The biggest sha1-based threat are the password hashes, which can result in identity theft. This happens typically via a dictionary attack, where the attacker knows (a) the hash, (b) the salt and computes based on a kind of dictionary hash values, and when the result is identical with the password hash, the password is regarded as cracked. Salts are used to make the hashes different even when the plain text of the password is the same. Some systems use a small set of salts (e.g the original Unix crypt() uses a 12 bit salt), which is not the case for OpenACS (uses as 128bit salt).

... SHA-1 for password encryption in OpenACS
The passwords are not encrypted with SHA1, just hashes of the passwords are saved - but also not in all OpenACS installations. Many large OpenACS sites do not store passwords at all (our university is using the OpenACS based LEARN environment Kerberos authentication) - so there is absolutely no thread on this. So, one cannot deduce a security threat by there mere usage of sha1.

Notice that the password hashes never leave the system on regular use, so the attacker has to get it. When the hash is saved in the DB, an attacker needs access to these tables (via system intrusion, or SQI, ...) to attack the hashes. Therefore security pretty much depends on the site security. There is a security thread, when e,g. arbitrary users get access to these database tables, ... but then, one is already in big troubles, so the hash is probably not the biggest concern. One has to be careful, when old disks are replaced, or etc. So, it is certainly better to use modern password suited hashes. Using sha2 or sha3 is no real improvement.

If you are using a version of OpenACS older than 5.9.1 then there are much more things to worry about than using sha1. The biggest thread are usually site-specific packages, which were developed many years ago, at a time, where people are primarily concerned about functionality, and not about security. My recommendation is to use tools like Acunetix to check the web security in a first step. We use on every release step in LEARN.