Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Subscribers 9 subscribers
  • Views 18668 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 Password Storage

Alk Sadkla

Hi there,

 

while using the API, I figured out that passwords for internal users are stored as md4-hashes.

According to Wikipedia: "As of 2007, an attack can generate collisions in less than 2 MD4 hash operations" [1]. That was 10 years ago...

 

Is there any possibility to change the hash algorithm to something useful / secure?

I know that I can use alternative authentication backends, but that's explicitly not what I want.

 

Thanks in advance.

Best,

Alk

 

[1] en.wikipedia.org/.../MD4



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Alk, and welcome to the UTM Community!

    My company has been installing this software since 2003.  As you can tell, I've been an active participant here for over 10 years.  During that time, I've probably read every post related to the UTM.  No such situation has occurred that was reported here.

    Up until Sophos bought Astaro, this venue rarely saw Astaro employees and there was no attempt by Astaro to remove such reports.  I'm not saying that Sophos does, just that we would have known sometime before 2013.

    That said, there are several things an experienced installer does to minimize the attack surface.  First, limit access to WebAdmin to a few IPs.  You also can use two-factor auth.  I like to add a remote access account and then include "MyUserName (User Network)" as a different kind of two-factor auth.  I also recommend only allowing one person to know the admin credentials, and it's not me!  The admin user should always be the backup for getting in when the primary admin's account doesn't authenticate.  Similarly, I always configure root access by RSA key, and the "(User Network)" trick also works there for two-factor auth.

    I could go on, but suffice to say that the exposure should be virtually non-existent for a site configured correctly.

    Cheers - Bob

Reply
  • 0

    Hi, Alk, and welcome to the UTM Community!

    My company has been installing this software since 2003.  As you can tell, I've been an active participant here for over 10 years.  During that time, I've probably read every post related to the UTM.  No such situation has occurred that was reported here.

    Up until Sophos bought Astaro, this venue rarely saw Astaro employees and there was no attempt by Astaro to remove such reports.  I'm not saying that Sophos does, just that we would have known sometime before 2013.

    That said, there are several things an experienced installer does to minimize the attack surface.  First, limit access to WebAdmin to a few IPs.  You also can use two-factor auth.  I like to add a remote access account and then include "MyUserName (User Network)" as a different kind of two-factor auth.  I also recommend only allowing one person to know the admin credentials, and it's not me!  The admin user should always be the backup for getting in when the primary admin's account doesn't authenticate.  Similarly, I always configure root access by RSA key, and the "(User Network)" trick also works there for two-factor auth.

    I could go on, but suffice to say that the exposure should be virtually non-existent for a site configured correctly.

    Cheers - Bob

Children