As of build 2209 we have swapped out the standard Reversible encryption system currently used for PEER password for Argon2 One-Way Cryptographic Hash with Salt. This new hash cannot be reversed and is Memory hard. Prior to 2209, Passwords used the same Private Crypto-key system to hash passwords, meaning an attacker could take the Crypto-Key and use it to decrypt all Peer Passwords. It also left room for someone to perform a rainbow table type attack on user tables to quickly decipher passwords from a pre-generated table of hashes.
Under system settings, there is now a button to allow you to convert all user passwords to SALT, otherwise they will adjust as your users reset their passwords. We suggest forcing the conversion to SALT based password hashes sooner than later as the WebsitePanel Opensource encryption path is well known, and at this point believe it’s completely insecure and possibly compromised.
6 people like this.
Viewing 1 post (of 1 total)
The forum ‘Announcements’ is closed to new topics and replies.