SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

Secure & Up-to-Date Password Storage for Internal Users

Hi there,

currently, passwords of internal users are stored as md4 hashes. According to Wikipedia, this hash function was already severely broken 10 years ago: "As of 2007, an attack can generate collisions in less than 2 MD4 hash operations" [1]. IMHO, this is a severe security issue, especially for a security device such as a firewall.

While it's technically true that access to password hashes requires administrative access, those hashes should still be protected, even in case of compromise. This also facilitates insider attacks, and so on...

Therefore, I strongly suggest that password storage follows well-established security principles: Use an up-to-date hash function (e.g. bcrypt, argon2, ...) as well as a salt. For more information, please see any recommendation on password storage by NIST, OWASP, ...

Best,
Alk

[1] https://en.wikipedia.org/wiki/MD4

20 votes
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

Alk Sadkla shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.