Last modified: 2011-03-19 23:46:34 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T30050, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 28050 - Login using a hashed password
Login using a hashed password
Status: VERIFIED INVALID
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
unspecified
All All
: Normal enhancement (vote)
: ---
Assigned To: Roan Kattouw
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-03-15 00:02 UTC by xiaomao5
Modified: 2011-03-19 23:46 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description xiaomao5 2011-03-15 00:02:51 UTC 
It seem like that MediaWiki doesn't allow login using a hashed password. The bot's password can be easily viewed by other people.

My suggestion is to support md5, sha1 or sha256 hashes so that the password can't be easily unhashed.
Comment 1 Sam Reed (reedy) 2011-03-15 00:22:50 UTC 
Which is exactly the same as normal login.

Also, how are we supposed to then hash the password with a salt? (Note this is off the top of multiple head, no code access atm)

Which also limits the hashing types...

That and md5 isn't the most secure. And many lookup tables exist to try and get your password from the hash.

Besides, if the zoo accepts hashes, if your hash is intercepted, you're back to square one.


Also, if we expose the salt, it gives the same issues
Comment 2 Platonides 2011-03-15 00:34:31 UTC 
Just set a password like a4d35e93d6c0787428f2fdf6a29457e0.

If your bot can log into the wiki, an attacker which stole all your bot data could as well.
If you don't like to store passwords into configuration files you can make the bot to only store the authentication in memory, and to forget the password as soon as it gets logged in.
Some bots also offer a middle alternative, which is prompting for the password the first, and then working from the saved cookie. That cookie is password-equivalent, but at least the password is not published.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links