Has ownCloud forum really stored encrypted passwords?

jurgenhaas · May 15, 2018, 12:47pm

In your email you write

Through the attack, the attacker gained access to the following data:
Full name, e-mail address, encrypted password and any other data you have entered in your profile.

Are you serious that your forum stored encrypted passwords? That’s hard to believe. Passwords should be hashed, but not encrypted, because nobody has ever any need to decrypt the password - unless …

tboerger · May 15, 2018, 1:06pm

You are totally right, the passwords are not encrypted, they are hashed. Discourse is hashing the passwords via pbkdf2 with the SHA256 algorithm.

jurgenhaas · May 15, 2018, 1:10pm

Good to hear, so it’s “just” been mis-stated in the email. Thanks @tboerger

op6sie · May 15, 2018, 1:23pm

How does this relate to logon’s via a service like google?

tboerger · May 15, 2018, 1:25pm

If you are authenticated via Github, Google, Twitter or Facebook there should be no usage of a password.

stefanochiappini · May 15, 2018, 1:25pm

I want to ask exactly the same question, as I’m using Github logon service. In this case password should not be present at all in Owncloud central database. Or also Github password have been compromised ?
Thanks.

tboerger · May 15, 2018, 1:26pm

This forum never had access to your Github password and in that case there should be no password defined on the forum.

thommie · May 16, 2018, 10:38am

@stefanochiappin: correct. If you use an external service (GitHub, Facebook, Google etc.) for authentication, the only place where the login password (or a hash value derived from it) is stored is the external service provider itself. The local forum software (here: discourse) only exchanges encrypted token data with the remote auth service. The most popular example for this kind of “remote authentication” is the OAuth2 standard.

fritz2cat · May 16, 2018, 1:49pm

Are they salted also ? (i.e. that hashing twice the same password yields different results, and the use of rainbow tables is ineffective.)
It is unclear to me whether pbkdf2 incorporates a salt mechanism, or if the app developer has to manage the salt by himself.
Frédéric

fritz2cat · May 16, 2018, 1:53pm

Found the reply: https://github.com/discourse/discourse/blob/9ce66038647bc4ff63167fe9c74857a01acc0875/docs/SECURITY.md
Current versions of discourse use salted password hashes.

OC-Florian · May 16, 2018, 7:13pm

We resolved all issues. Read the full story here: https://owncloud.org/news/owncloud-forum-hack-why-password-security-is-more-important-than-ever/