This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 Password Storage

Hi there,

 

while using the API, I figured out that passwords for internal users are stored as md4-hashes.

According to Wikipedia: "As of 2007, an attack can generate collisions in less than 2 MD4 hash operations" [1]. That was 10 years ago...

 

Is there any possibility to change the hash algorithm to something useful / secure?

I know that I can use alternative authentication backends, but that's explicitly not what I want.

 

Thanks in advance.

Best,

Alk

 

[1] en.wikipedia.org/.../MD4



This thread was automatically locked due to age.
Parents
  • Hi    There are currently no plans to change the hash algorithm, as an attacker would need to be a privileged admin on the UTM in the first place.

     

    - Karlos

    Community Support Engineer

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • I'm sorry, but that's not a very good argument.

    First of all, if it didn't matter, why not simply store the passwords plaintext? I'm sure I don't need to explain why that's a bad idea.

     

    Also, we all know that users like to reuse passwords. So, let's assume a system that has to automatically create networks and users on the firewall. For this, it requires an API key (with admin privileges, because of the user creation).

    If this system is compromised, the adversary can (obviously) modify arbitrary settings in the firewall and gain access to other parts of the network, which is bad enough.

    But instead of telling your customers "Hey, we messed up and an attacker temporarily gained access to some parts of the network (s)he wasn't supposed to.", it's "Hey, we messed up and an attacker temporarily gained access to some parts of the network (s)he wasn't supposed to. Also, all passwords were stolen and if your users aren't very security-minded people, all your confidential business information that was stored in mails etc. has now been stolen.". Alternatively, the passwords may be used to gain further access to (now accessible) systems.

    Also, all passwords are unsalted (not that it matters when using md4).

     

    I'm asking you to seriously reconsider this decision.

  • Hi  

    We understand your concern. The best thing for you to do is to submit a feature request here

    Our product team will take a look. Thanks Alk.

    - Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
Reply Children