github: shadowy octopus with the head of a robot, emblazoned with the Dreamwidth swirl (Default)
github ([personal profile] github) wrote in [site community profile] changelog2020-04-24 12:00 pm

[dreamwidth/dw-free] f2ad72: Add password 'peppering'

Branch: refs/heads/master
Home: https://github.com/dreamwidth/dw-free
Commit: f2ad720c85e2cf2507b569a6a9c7d466a29eb587
https://github.com/dreamwidth/dw-free/commit/f2ad720c85e2cf2507b569a6a9c7d466a29eb587
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)

Changed paths:
M bin/upgrading/d10-passwords.pl
M bin/upgrading/update-db-general.pl
A cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Defaults.pm
M cgi-bin/LJ/User/Login.pm
M doc/dependencies-cpanm

Log Message:
-----------
Add password 'peppering'

After discussion with a security engineering friend of mine, this is
take two at the secure password storage approach. Now, we are applying a
'pepper' on the web server, before we write to the database.

The advantage of this is that a database exfiltration does not result in
useful data (when it comes to passwords). In order to get useful data,
you need to get data off of the webserver memory/filesystem AND from the
database, which raises the bar.

The chosen peppering solution is symmetric encryption, which enables us
to do pepper rotation if we ever believe that our pepper key was
compromised somehow.

This also re-introduces [personal profile] momijizukamori's schema/revision/version
column, so we can change how passwords are stored in the future.
Additionally this pulls most of the functionality out into
DW::Auth::Password which will let us isolate things better and ensure
that it's easy to audit credential management code.


Commit: 3923237f135f5604127402bc2653cacddc531518
https://github.com/dreamwidth/dw-free/commit/3923237f135f5604127402bc2653cacddc531518
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)

Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/User/Login.pm

Log Message:
-----------
Tidy, sigh


Commit: a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
https://github.com/dreamwidth/dw-free/commit/a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)

Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Constants.pm
A t/auth-password.t

Log Message:
-----------
Refactor slightly, add tests


Commit: fafd92d0747eb65b892c1106a3955eb928322394
https://github.com/dreamwidth/dw-free/commit/fafd92d0747eb65b892c1106a3955eb928322394
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)

Changed paths:
M t/auth-password.t

Log Message:
-----------
Fix test count


Compare: https://github.com/dreamwidth/dw-free/compare/fcdd4268784c...fafd92d0747e

Post a comment in response:

This account has disabled anonymous posting.
If you don't have an account you can create one now.
No Subject Icon Selected
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org