![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
githubBranch: refs/heads/master
Home: https://github.com/dreamwidth/dw-free
Commit: f2ad720c85e2cf2507b569a6a9c7d466a29eb587
https://github.com/dreamwidth/dw-free/commit/f2ad720c85e2cf2507b569a6a9c7d466a29eb587
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M bin/upgrading/d10-passwords.pl
M bin/upgrading/update-db-general.pl
A cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Defaults.pm
M cgi-bin/LJ/User/Login.pm
M doc/dependencies-cpanm
Log Message:
-----------
Add password 'peppering'
After discussion with a security engineering friend of mine, this is
take two at the secure password storage approach. Now, we are applying a
'pepper' on the web server, before we write to the database.
The advantage of this is that a database exfiltration does not result in
useful data (when it comes to passwords). In order to get useful data,
you need to get data off of the webserver memory/filesystem AND from the
database, which raises the bar.
The chosen peppering solution is symmetric encryption, which enables us
to do pepper rotation if we ever believe that our pepper key was
compromised somehow.
This also re-introducesmomijizukamori's schema/revision/version
column, so we can change how passwords are stored in the future.
Additionally this pulls most of the functionality out into
DW::Auth::Password which will let us isolate things better and ensure
that it's easy to audit credential management code.
Commit: 3923237f135f5604127402bc2653cacddc531518
https://github.com/dreamwidth/dw-free/commit/3923237f135f5604127402bc2653cacddc531518
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/User/Login.pm
Log Message:
-----------
Tidy, sigh
Commit: a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
https://github.com/dreamwidth/dw-free/commit/a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Constants.pm
A t/auth-password.t
Log Message:
-----------
Refactor slightly, add tests
Commit: fafd92d0747eb65b892c1106a3955eb928322394
https://github.com/dreamwidth/dw-free/commit/fafd92d0747eb65b892c1106a3955eb928322394
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M t/auth-password.t
Log Message:
-----------
Fix test count
Compare: https://github.com/dreamwidth/dw-free/compare/fcdd4268784c...fafd92d0747e
Home: https://github.com/dreamwidth/dw-free
Commit: f2ad720c85e2cf2507b569a6a9c7d466a29eb587
https://github.com/dreamwidth/dw-free/commit/f2ad720c85e2cf2507b569a6a9c7d466a29eb587
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M bin/upgrading/d10-passwords.pl
M bin/upgrading/update-db-general.pl
A cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Defaults.pm
M cgi-bin/LJ/User/Login.pm
M doc/dependencies-cpanm
Log Message:
-----------
Add password 'peppering'
After discussion with a security engineering friend of mine, this is
take two at the secure password storage approach. Now, we are applying a
'pepper' on the web server, before we write to the database.
The advantage of this is that a database exfiltration does not result in
useful data (when it comes to passwords). In order to get useful data,
you need to get data off of the webserver memory/filesystem AND from the
database, which raises the bar.
The chosen peppering solution is symmetric encryption, which enables us
to do pepper rotation if we ever believe that our pepper key was
compromised somehow.
This also re-introduces
momijizukamori's schema/revision/versioncolumn, so we can change how passwords are stored in the future.
Additionally this pulls most of the functionality out into
DW::Auth::Password which will let us isolate things better and ensure
that it's easy to audit credential management code.
Commit: 3923237f135f5604127402bc2653cacddc531518
https://github.com/dreamwidth/dw-free/commit/3923237f135f5604127402bc2653cacddc531518
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/User/Login.pm
Log Message:
-----------
Tidy, sigh
Commit: a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
https://github.com/dreamwidth/dw-free/commit/a72e2bb2d37ccf695cf5c96aadaa7185c63628b3
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M cgi-bin/DW/Auth/Password.pm
M cgi-bin/LJ/Global/Constants.pm
A t/auth-password.t
Log Message:
-----------
Refactor slightly, add tests
Commit: fafd92d0747eb65b892c1106a3955eb928322394
https://github.com/dreamwidth/dw-free/commit/fafd92d0747eb65b892c1106a3955eb928322394
Author: Mark Smith <mark@dreamwidth.org>
Date: 2020-04-24 (Fri, 24 Apr 2020)
Changed paths:
M t/auth-password.t
Log Message:
-----------
Fix test count
Compare: https://github.com/dreamwidth/dw-free/compare/fcdd4268784c...fafd92d0747e