More than a quarter of popular content management systems (CMS) by default use an outdated and no longer relevant MD5 hash scheme for storing and protecting user passwords.Among those using MD5 were serious projects such as WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB, SugarCRM, CMS Made Simple, MantisBT, Phorum, Observium, X3cms and Composr.
In practice, this means that an attacker can easily decrypt user passwords if site database of one of these CMS comes into his hands. Specialists from the University of Piraeus in Greece pointed to this problem.
“Recent studies suggest that even developers do not use appropriate hash functions to protect passwords, since they may not have adequate security expertise. Therefore, the default settings of CMS and web applications frameworks play an important role in the security of password storage”, — report researchers.
The owner of the resource can and should change default settings by modifying source code of CMS.
Researchers analyzed 49 most commonly used CMS and 47 popular frameworks.
Experts were interested in the method of storing passwords – how well are the credentials of users of such resources. Researchers report has a table that clearly illustrates situation with hashing methods of outdated password.
“Overall, we believe that the security status of the hashing schemes of CMS and web application frameworks calls for changes to the default settings from an opt-in to an opt-out security policy. More security audits and official library implementations are also required to accelerate the adoption of memory hard functions both by policy makers and the industry”, — noted researchers.