Giters

skytable / skytable

Skytable is a modern scalable NoSQL database with BlueQL, designed for performance, scalability and flexibility. Skytable gives you spaces, models, data types, complex collections and more to build powerful experiences

Home Page:https://skytable.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security: (non critical) user passwords should be salted

nicolello-dev opened this issue · comments

commented

If my understanding of the code is correct, here is where the user is created:

skytable/server/src/engine/core/system_db.rs

Line 141 in 548f806

let password_hash = rcrypt::hash(password, rcrypt::DEFAULT_COST).unwrap();
and it seems like the password is not salted anywhere.

I understand that, because operating a database is usually only allowed to competent people, the risks of not salting are very minimal; however, given it has a very small impact on speed, I believe it would be benefical to implement it.

I volunteer to implement it, if it gets approved.

commented

Hi, all passwords are hashed and salted based on the bcrypt algorithm using rcrypt