Re: ImpressCMS - Security

Posted by Madfish on 1306687708
Positives: The trust path, use of salts (see Vaughan's posts about how it works), and the updated hash algorithm. Also, support for SSL login and full-site SSL. There's the alternative authentication mechanisms but I haven't used them much so I don't know whether these are security enhancements or just conveniences.

Negatives: I think we have the basics covered. Sending passwords in the clear irks me, but the fact is that it is difficult to address in an out-of-the-box install and as far as I know all major CMS still work that way. I'm still working on adding support for 2-factor authentication (using hardware token) with Vaughan.

I think adding password stretching would be a useful improvement to harden password hashes against offline dictionary attacks, but I'm still arguing the case for that one.

This Post was from: