[AC-465] Encrypt Database from the details derived from the username and password - OpenMRS Issues

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: TBD
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.6.2
Labels:
- database
- encryption
- security
- sha

Complexity:
Undetermined

Description

Currently, the Android client provides no means of securing the user credentials when they login to the OpenMRS instance. The username and password is stored in SharedPreferences with no encryption, and so one could retrieve it from the Android phone and then the person would have access to the user's account.

We should increase the security of the login phase by encrypting the username + password, using bcrypt. BCrypt has a key advantage compared to SHA encryption methods which is that it comes with salt generation which should be used when encrypting the user's credentials.

References

jBCrypt library - http://www.mindrot.org/projects/jBCrypt/

Gliffy Diagrams

Attachments

Activity

People

Assignee:: Aleksander W

Reporter:: Chathuranga Muthukuda

Designated Committer:: Fawwaz Yusran

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-07-06 14:07:22 GMT

Updated:: 2019-03-13 11:57:47 GMT

Resolved:: 2019-03-13 11:57:47 GMT