0

I just created an account on Magento Commerce, which is an online shop solution.

During account creation, I entered a password. Personally I prefer longer, generated passwords that do not contain special characters, since the special characters are located in different places, depending on the locale of the keyboard and special characters do not work well across several remote desktop connections.

As I was not allowed to use a 24 character password like this, I read about the password requirements:

The policies are quite strong:

  • 1 capital letter
  • 1 number
  • 1 special character
  • minimum 8 characters length
  • but then I wondered why there is a maximum length of 16 characters

Basically I know about Password length and complexity, so my question is not whether their requirements result in a higher password quality than mine.

The question is: since I consider using the product and I have the feeling that the understanding of password security by the developers of the product could be (partially) wrong, what are the first things I should check?

I'm not looking for a Magento specific answer. I'd like to know about the general approach for such a check, e.g. for any open source product.

Thomas Weller
  • 3,366
  • 3
  • 22
  • 40
  • Related to https://security.stackexchange.com/questions/87535/how-many-combinations-does-a-specific-password-policy-allow and https://security.stackexchange.com/questions/3248/recommended-policy-on-password-complexity. – Neil Smithline Oct 13 '15 at 05:07
  • I'm confused by the title of your question. The text discusses the affects of password policy while the title talks checking out an open source product. Are you just asking about password policy or is there something specific to open source that you're asking about? – Neil Smithline Oct 13 '15 at 05:09
  • @NeilSmithline: the password policy provided the hint that there might be something bad going on – Thomas Weller Oct 13 '15 at 17:32

1 Answers1

3

While the password requirements may help you slightly to understand how that particular system may be handling them, it is just the tip of the iceberg. It's true: Having a maximum length for a password raises some flags that something is not good. However there may be other reasons behind that (like bad documentation?).

Even if you have the perfect policies, nothing will ensure you they are not using weak algorithms or bad practices which can lead to severe security issues. The only way (IMO) is to check the code yourself. In case you don't understand their code, it's better to stick to the most active (and with more contributors) projects. It's also a good idea to check vulnerabilities reports about the project, get to know who is behind its development, ask in their forums or mailing lists and very important, how new the code is: Some OS projects are based in really old code (which could be vulnerable to new attack techniques or use deprecated algorithms), or in the other side, very new projects could pose some risks as they haven't been tested enough.

In summary, I would be more worried about the general security policies than just about how passwords are stored.

UPDATE (about Magento)

I checked their codes, and I found for example one of their Encryption interfaces.

Passwords seem to be stored using "sha256" with a fall-back on "md5" (if that setting is on). In that case, the max length of 16 chars it may be related to the GUI or other reasons (perhaps to allow custom settings and extensions).

Magento project seems to be well coded and it has a strong community. which make me assume its security is above average . Their current password hashing implementation its not the best, but its not the worst either --see comments below--, so don't trust it 100%. There is no perfect system and all OS projects are vulnerable (as attackers can see its code), but as you may know, close sourced projects are neither exempt of vulnerabilities.

I would recommend you to ask them directly why the 16-chars limitation. I'm sure they can give you a more detailed explanation.

lepe
  • 2,194
  • 2
  • 16
  • 29
  • 1
    The code you linked would be a **horrible** password hash. – CodesInChaos Oct 13 '15 at 07:14
  • @CodesInChaos: Sure, if you take the whole file as hash. BTW, the relevant methods are: `getHash` and `hash` . (lines 116 and 137) – lepe Oct 13 '15 at 07:54
  • 1
    `getHash` is not a secure password hash. But since I didn't review the rest of magento (not did I verify that this is the current version of it) I don't know if they're actually using it as a password hash. – CodesInChaos Oct 13 '15 at 07:59
  • @CodesInChaos: Sorry I misunderstood you the first time. Yes, indeed that hash is not strong as it uses a single iteration and IMO the way they add the salt is not strong either. Probably using PBKDF2, bcrypt or scrypt could be better too. I can confirm that it is the latest version. I'm not familiar with that system or its code, so I may be missing something important. – lepe Oct 13 '15 at 08:21
  • @lepe - I think you need to update your answer. Specifically `Magento project seems to be well coded and it has a strong community, which make me assume its security is above average.` because we know that the code is sub-par. – Neil Smithline Oct 13 '15 at 17:51
  • 1
    @NeilSmithline: Updated. Some parts of my statement are still valid from my point of view: Magento seems well coded to me (their code is well documented, they use unit tests, they apply OO correctly, etc), and it has a strong community (19 main developers, 1600 forks, 58K twitter followers). Their hash implementation may be weak, but its better than many of the OSS I have used in the past. I'm sure that if an issue is raised, they would update it soon. It is sub par or above? We don't know. We would have to see all OS projects out there... – lepe Oct 15 '15 at 01:04
  • Yesterday, an issue was raised (not by me) about the hash function: https://github.com/magento/magento2/issues/2106 (perhaps someone following this question?) – lepe Oct 15 '15 at 01:15
  • @lepe: yes, it was me :-) – Thomas Weller Oct 15 '15 at 19:24