Full disclosure on how ThinkCMS secures passwords and how they are stored in the database.
Every ThinkCMS installation deals with passwords, from administrator accounts to registered users. If appropriate measures are not taken, all of these passwords could easily be compromised, which would lead to unforeseen consequences. Imagine what could happen if an employee of the hosting company or your IT staff could see the passwords of all site administrators or even worse, the passwords of all registered users. If we assume that more than 70% of users tend to reuse the same password on multiple sites, things get out of control very quickly. And what if someone leaks your database online or it gets compromised in any other way.
Sites like https://haveibeenpwned.com/ are a good proof that these thing happen and unless appropriate measures are taken, someone, somewhere might get a front row seat to your online life or depending on how he/she is feeling today, decide to totally mess you up.
First of all, we do not store any passwords in plaintext. The plaintext password exists on the server only for a fraction of a second before it is hashed, encrypted and saved in the database or compared with the one stored in the database.
For those who are unfamiliar with the terminology, hashing is a one-way transformation algorithm that converts the password / string to a series of characters called a hash. By storing the hashed version in the database, there is no need for the original password. Each time a user needs to be authenticated, the provided password is hashed and compared to the stored hash. This is one of the reasons why the system can not send you your old password when you go through the "Forgot password" steps. It can tell if a password matches the hash but can not get the original password from the hash.
Hashes are vulnerable too. In case or a database breach or unauthorized access by a rogue employee of your company or the hosting provider, your database contents might become available to a number of people. Given enough time and CPU/GPU power, an attacker could try all the possible combinations, or a more sophisticated attack, that will reproduce the same hash, thus revealing your password.
To ensure that the time and CPU/GPU resources needed to crack a password hash are so high, that the attacker will need to spend huge amounts of money and time to crack a single password, we have carefully selected two password hashing algorithms. The default is Argon2i which is more resistant to GPU cracking (Bitcoin miners, etc...) and if Argon2i is not available on your server, the system will use bcrypt which has been an industry standard for the last couple of years. Both are configured with high difficulty and cost, resulting in very slow cracking times and high resource usage. Even on state of the art mining hardware.
Starting with v5, there are two new features: automatic password hash upgrade when a better algorithm is available and increasing the difficulty to counter the growing power of new password cracking hardware.
While the above measures might be enough for most websites, we have added an extra layer of security. Starting from ThinkCMS v5.1.0, all password hashes are encrypted using AES-256 before being saved in the database. Multiple keys can be configured, rotated and changed if needed. An additional message authentication code (MAC) is used to prevent unauthorized data tempering.
Some might argue that this is overkill, but in case of a database breach, the attacker will not be able to decrypt the password hashes, since the encryption keys are not stored in the database.
While most users will certainly hate this, we have implemented stricter password construction policies. Even though the policies are configurable, there are minimum requirements that need to be fulfilled.
If you like to find out more about the security of ThinkCMS, please click here.