Has ownCloud forum really stored encrypted passwords?


#1

In your email you write

Through the attack, the attacker gained access to the following data:
Full name, e-mail address, encrypted password and any other data you have entered in your profile.

Are you serious that your forum stored encrypted passwords? That’s hard to believe. Passwords should be hashed, but not encrypted, because nobody has ever any need to decrypt the password - unless …


#2

You are totally right, the passwords are not encrypted, they are hashed. Discourse is hashing the passwords via pbkdf2 with the SHA256 algorithm.


#3

Good to hear, so it’s “just” been mis-stated in the email. Thanks @tboerger


#4

How does this relate to logon’s via a service like google?


#5

If you are authenticated via Github, Google, Twitter or Facebook there should be no usage of a password.


#6

I want to ask exactly the same question, as I’m using Github logon service. In this case password should not be present at all in Owncloud central database. Or also Github password have been compromised ?
Thanks.


#7

This forum never had access to your Github password and in that case there should be no password defined on the forum.


#8

@stefanochiappin: correct. If you use an external service (GitHub, Facebook, Google etc.) for authentication, the only place where the login password (or a hash value derived from it) is stored is the external service provider itself. The local forum software (here: discourse) only exchanges encrypted token data with the remote auth service. The most popular example for this kind of “remote authentication” is the OAuth2 standard.


#9

Are they salted also ? (i.e. that hashing twice the same password yields different results, and the use of rainbow tables is ineffective.)
It is unclear to me whether pbkdf2 incorporates a salt mechanism, or if the app developer has to manage the salt by himself.
Frédéric


#10

Found the reply: https://github.com/discourse/discourse/blob/9ce66038647bc4ff63167fe9c74857a01acc0875/docs/SECURITY.md
Current versions of discourse use salted password hashes.


#11

We resolved all issues. Read the full story here: https://owncloud.org/news/owncloud-forum-hack-why-password-security-is-more-important-than-ever/