Abstract

moin stores user passwords NOT as cleartext, but rather safely as a (salted) hash of the password.

There has been a recent change in moin 1.9 to support more kinds of hashes, you need to forward port that change to moin2.

Also, because moin2's minimum requirement is Python 2.6 now, we can use SHA256 based hashes now (they are not in Python 2.4 stdlib, so we did not use them in moin 1.x).

Your task is to add SHA256 password hash support, because security researchers found some issues with sha-1 (which is what moin 1.x uses).

You have to write unit tests for the password related code.

You also have to do a security review of that code based on existing guidelines.

Details

Hints:

• review password storage (see http://www.pythonsecurity.org/wiki/hashing/ )

• write unit tests for password storage in moin2 / maybe refactor code a bit so that is easier

• port http://hg.moinmo.in/moin/1.9/rev/69668ad0cae7 plus your unit tests to moin2

• make it more secure by adding SSHA256 support (default for new user profiles)
• auto-upgrade passwords on login to SSHA256

Deliverables: patch or changeset, wiki page with detailled review results

Skill Requirements

See tags. You should also have some basic knowledge about crypto / hashes to better understand what this all is about.

You can discuss this issue in the MoinMoin wiki: http://moinmo.in/EasyToDo/more%20secure%20password%20storage