Use a more secure cryptographic hashing function for password instead of the current MD5 #5769

allanbenW · 2023-11-22T19:20:09Z

Introduction

NebulaGraph (as of v3.6.0) uses MD5 for password hashing

Line 24 in de9b3ed

proxygen::md5Encode(folly::StringPiece(*cuNode->password())),

However, MD5 is known to have a broken collision resistance and is vulnerable to collision attacks. There are also published theoretical attacks against its preimage resistance.

Contents

Use a cryptographically secure hashing function, such as bcrypt

Related work

wey-gu · 2023-11-23T01:44:56Z

Welcome @allanbenW to the community and thanks for pointing this out!

allanbenW · 2024-04-02T18:28:03Z

Hi team. Just wondering if there's any plan addressing this security concern soon? maybe next (few) minor/major release?

allanbenW · 2024-04-17T15:06:50Z

bump again

apologize for ping, just trying to get some attention
@wey-gu @dutor

this is a security concern flagged by our security team, and it's blocking our adoption of this otherwise amazing solution

allanbenW added the type/enhancement Type: make the code neat or more efficient label Nov 22, 2023

Provide feedback