GSoC/GCI Archive
Google Code-in 2010 MoinMoin Wiki

more secure password storage

completed by: Pavel Vinogradov

mentors: ReimarBauer, Thomas Waldmann, Alexander Schremmer, Ronny Pfannschmidt

 

Abstract

moin stores user passwords NOT as cleartext, but rather safely as a (salted) hash of the password.

There has been a recent change in moin 1.9 to support more kinds of hashes, you need to forward port that change to moin2.

Also, because moin2's minimum requirement is Python 2.6 now, we can use SHA256 based hashes now (they are not in Python 2.4 stdlib, so we did not use them in moin 1.x).

Your task is to add SHA256 password hash support, because security researchers found some issues with sha-1 (which is what moin 1.x uses).

You have to write unit tests for the password related code.

You also have to do a security review of that code based on existing guidelines.

 

Details

Hints:

Deliverables: patch or changeset, wiki page with detailled review results

 

Skill Requirements

See tags. You should also have some basic knowledge about crypto / hashes to better understand what this all is about.

You can discuss this issue in the MoinMoin wiki: http://moinmo.in/EasyToDo/more%20secure%20password%20storage