I have created an anonymous account to write this though I can see the emails.
I work as a penetration tester. Ive been asked recently to test nopcommerce. I dont really know much about it code wise but what I have tested (hashed password wise) as Hash(SHA1):Salt is a joke.
The first very large site it took less than 4 minutes to reverse 40% of the passwords from a well used password list. It took roughly about 2 days to reverse 99% of the remaining passwords.
This was pretty much the case for the rest of them.
In this day and age this is very very very very important.
I dont know what is being updated in this codebase currently but this should be it. And I really mean above everything else.
SHA1:Hash is just such a joke now I cant believe its being used here.
It doesnt matter if you understand what this means but simply put from somebody that knows shout as loud as you can. If whoever is in charge doesnt change this I would strongly suggest you use something else till they do.
Use this software currently at you peril...
The password hashing is a joke.
- 9
- 55
- 27/12/2016
- United States
Yes a weak password is weak and easily guessed, and if you get an offline copy of the site's SQL database you can easily dump the hashes and run an attack against the list.
All very true, but what's new about that and does that impact the security of the store? Did you find a loophole to get direct access to the SQL Database, that would be another story, but that's not what I read in your post.
By the way the source code is freely available on this site, so as a "security expert in penetration testing" you should have no problem reading the implementation code.
T.
(not affiliated with NopCommerce)
All very true, but what's new about that and does that impact the security of the store? Did you find a loophole to get direct access to the SQL Database, that would be another story, but that's not what I read in your post.
By the way the source code is freely available on this site, so as a "security expert in penetration testing" you should have no problem reading the implementation code.
T.
(not affiliated with NopCommerce)
MVP
- 11365
- 101367
- 22/05/2011
- United States
I agree that any such hack is mostly due to poor passwords created by customers, and also that the attacker has managed to get access to the SQL database. I suspect the author is just indicating that the particular hash algorithm being used (SHA1) is subject to easy hacking. This article is helpful in that regards. Maybe the author can suggest his algorithm of choice.