Pass the salt! Popular CMSs aren’t securing passwords properly

A group of researchers has discovered that many of the web’s most popular content management systems are using insecure algorithms to protect their users’ passwords.

Three researchers from the Department of Digital Systems at the University of Piraeus in Greece tested several CMS products [article behind paywall] to see how well they hashed user passwords.

Hashing is a mathematical function that encodes a secret. It takes an alphanumeric string such as a password and uses it to produce another string, called a digest.

A hashing function is a one-way street. You can calculate the digest easily using the password, but you can’t calculate the password using the digest.

That makes it great for storing passwords securely. When a user logs in using their password, the web application can quickly hash it. If the digest matches the one on file, the user gains access. Yet if anyone steals the password database, they can’t read it. (Although hashing is fundamental to good password security, there’s more to it than that – for a detailed primer see how to store your users’ passwords safely.)

Unfortunately, CMS software often doesn’t use hashing properly, the researchers warned. stating:

We have discovered that many CMS use outdated hash functions.

What does this mean?

Not all hashing functions are equal. MD5 (invented by Ron Rivest, who is the ‘R’ in RSA), has been compromised. A hashing function should produce a unique digest for every different input. No two passwords should produce the same digest (a situation referred to as a collision). The first successful collision attack against MD5 was conducted in 1996 and generating MD5 collisions is now considered easy.

Another popular hashing function, SHA-1, was widely used as a replacement when MD5 fell out of favour. That too is now considered obsolete.

The University of Piraeus researchers looked at 49 content management systems and 47 web application frameworks. It reported that 26.5% of them used MD5. These included osCommerce, SuiteCRM, WordPress, X3cms, SugarCRM, CMS Made simple, MantisBT, Simple Machines, miniBB, Phorum, MyBB, Observium, and Composr.

A further 12.2% of them use SHA-1. The culprits there are GetSimple CMS, Redmine, Collabtive, PunBB, Pligg, and Omeka.

The danger here isn’t just that these hashing functions are vulnerable to collision attacks. They’re also highly susceptible to the use of graphical processing units (GPUs), which can divide up the processing necessary to target them among their many processor cores.

Some of these sites had even worse problems. The researchers cited…

an arbitrary number of hash iterations, while there is a lack of password policies and salt

Hashing alone won’t defeat an attacker. In modern password hashing algorithms passwords are combined with a salt (a random string of data) so that identical passwords produce different hashes. Typically, the output of the hashing function is itself then mixed with the salt and hashed again, and again and again, perhaps thousands of times, to make the operation computationally expensive.

Each pass through the salt and hash routine is called an iteration. The higher the number of iterations, the harder it is for password cracking computers to generate password matches quickly.

Some of these systems using MD5 or SHA-1 endangered users further by not using salt or iterations. X3cms 0.5.3, GetSimple, MiniBB 3.2.2, and Phorum were on that naughty list.

The most secure CMS systems from a hashing perspective used bcrypt, a password hashing function which is resistant to GPU-based parallel computing cracks. On the nice list are Joomla, Zurmo, OrangeHRM, SilverStripe, Elgg, XOOPS, e107, NodeBB, Concrete5, phpBB, Vanilla Forums, Ushahidi, Lime Survey, Mahara, Mibew, vBulletin, OpenCart, PrestaShop, and Moodle.

It should be noted that the weakness affects how quickly an attacker can guess the contents of password database they have stolen from a breached website. It doesn’t affect their ability to breach the website in the first place or to guess passwords at the login prompt.