ThinkCMS v5 is built with security in mind due to the simple fact that our CMS is used in a variety of industries and types of web apps, from simple websites to financial institutions dealing with sensitive personal data. To ensure maximum protection and compliance with existing and future legislation and best practices we have implemented the following features.
While developing ThinkCMS and all code for all implementations of the system we take the following precautions:
- Appropriate security training to all developers in the company;
- Adhere to best practices, guidelines and standard related to security including the OWASP (Open Web Application Security Project);
- Input validation;
- Output encoding;
- Authentication and password management;
- Session management;
- Access control;
- Cryptographic practices;
- Error handling and logging;
- Data protection;
- Communication security;
- Web application, server and system configuration;
- Database security;
- Adhere to CIA (Confidentiality, Integrity and Availability) principles;
- Adhere to security by design principles:
- Minimizing the attack surface area;
- Principle of Least privilege;
- Principle of Defense in depth;
- We perform internal code reviews and security assessments;
- We perform automated penetration tests of the system and specific implementations;
- Bug reporting, tracking and patching;
Authentication, access and permissions
ThinkCMS v5 features a back office administration panel allowing access only to authenticated users and using appropriate authentication methods, protocols and password storage and validation standards. The granular permission system enables system owners to define individual permissions granting access to only the needed modules and actions for each admin.
If an implementation includes the user module, all security measures, best practices and standards valid for the admin users apply to regular users too.
Login brute force protection
Brute force is a well known password-guessing attack where the attacker sends large number of login requests for a specific username trying to guess the password by going through all combinations of letters, numbers and special characters. High performance computer hardware and fast internet connections increase the effectiveness of this kind of attacks. Version ThinkCMS v5 comes with brute force protection out of the box, limiting the number of failed login attempts for a given time period and locking the account down if an attack is detected. This feature, renders brute force attacks useless, since going through enough password combinations (approximately 688 for an eight character password) to get the password could take millions of years.
Password storage and hashing
Due to security and privacy concerns, we never store plaintext passwords in the database. In a case of a database breach or unauthorized access by a rogue employee of your company or the hosting provider, user passwords could be compromised. This could lead to serious consequences for your business and users. To prevent this, passwords are stored hashed using a one-way transformation algorithm that converts the password to a series of characters.
Possible attacks related to this can be simplified in two steps:
- The attacker or rogue employee gets access to the server or database;
- Brute-forces the password hashes to get the plaintext passwords;
The harder you make the second step, the better the security is. That is why it is important to implement a strong cryptographic hash algorithm and configure it properly to counteract increases in the speed and power of computers available to crack the hashes.
Addressing GPU password cracking
While a number of different hashing algorithms exist and are used for password hashing, the main difference is the time and resources it takes for an attacker to crack the password from the hash. MD5 is among the most commonly used and easiest to crack. A six character password (combination of all characters on an US keyboard) can be cracked in less than a minute on regular dual GPU home PCs doing 16GH/s. For 7 characters the time is under 2 hours. On a more serious setup like a mini cryptocurrency miner with 8x Nvidia GTX 1080 Ti1, you can get a huge improvement in cracking speed:
In version 5 we implemented the new Argon2i hashing algorithm, winner of the 2015 Password Hashing Competition. The new algorithm is an evolution of the bcrypt and scrypt algorithms and it is more resistant to GPU cracking. By using Argon2i we ensure high level of security for the hashed passwords.
Here is a quick overview of the password hashing algorithms used by popular frameworks and content management systems:
|CMS / Framework||Algo|
|Drupal||SHA512Crypt with multiple rounds|
|Wordpress||salted MD5 (phpass)|
Continuous upgrade and protection
The new system features an automatic password hash upgrade when a better algorithm is available and increasing the difficulty to protect it from the growing power of new password cracking hardware. Although all user passwords can not be upgraded at once, once the user signs in, the password hash is updated using the recommended hashing function and difficulty.
Configurable protection level
For applications containing highly sensitive user data, we have implemented an option to configure the password hashing to be secure to a level allowed by the hardware configuration of the server. This way government, financial and other institutions with the right hardware can make the password hashes almost unbreakable.
Encrypted password hashes
Encrypting the password hashes with keys stored out of the database, is a defense in depth measure added in ThinkCMS v5.1.0. By adding this extra layer of AES-256-CBC encryption, we enable key rotation, when needed, and reduce the exposure of the hashed passwords in case the database is compromised or accessed by an unauthorized personnel.
Full article available here: "How Are Passwords Protected in ThinkCMS".
Optional two factor authentication (2FA)
When dealing with sensitive data, an additional security layer can be implemented when authenticating users in the form of one time verification codes. After verifying the password of the user, an additional one time token is provided by the user (RFC 2289). A wide range of mobile apps for Android and iOS are supported, including Google Authenticator.
Password security questions
Password security questions like "What is your mother's maiden name?" are not supported and considered insecure.
The current security features do not include an automated password expiry feature, but it can be implemented on request.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) outlaws weak protection of sensitive user data, and since passwords are sensitive information and are used to access other sensitive information it is important to protect them properly. For more information see our GDPR compliance page.
Password construction guidelines
Since password authentication is used to authorize access to protected resources that might contain sensitive data, it is important to enforce a strong password creation policy. All passwords for the admin area and user accounts must follow to the following rules:
- All passwords should be reasonably complex and difficult for unauthorized people to guess;
- The length must be at least 8 characters;
- Must include at least one uppercase letter;
- Must include at least one lowercase letter;
- Must include at least one special character;
- Must not include dictionary words;
- Must avoid basic combinations that are easy to crack like “password,” “password1” and “Pa$$w0rd”;
- Must not include any profile or personal information such as: username, name, date of birth, social security number etc;
- Must not include the company, product or website name, domain, email and other publicly available company / website information or abbreviation of that information and derivatives;
- Must not use license plates, phone numbers, dates (including birthdays) or other common numbers;
All passwords that do not follow these rules might be rejected by the system.
Password strength checker
Since version 3 we implemented a password strength checker for all admin users, where most easy to crack passwords, passwords vulnerable to dictionary attacks and commonly used password topologies were not allowed. Now, we have extended this functionality to all passwords with a configurable password strength checker that can be adjusted to the exact project requirements.
No passwords are sent over email
Even with encrypted email, we never send any passwords in plaintext to the user. The password reset process is designed to protect the user's password from being intercepted so, the new password is only entered on the site only after providing a valid password reset token in the allowed time period.
Storing sensitive data requires database encryption. In v5 we have implemented two symmetric encryption algorithms for securely encrypting and decrypting database records, AES-128-CBC and AES-256-CBC, both approved and used by numerous government institutions. An additional message authentication code (MAC) is used to prevent unauthorized data tempering.
While we are using open source programming languages, our source code is proprietary, meaning it is not, nor it will not be released to the public. This automatically decreases the risk of a breach. Finding vulnerabilities in a custom-built web application requires a blind attack on the site which uses a lot of resources and time.
ThinkCMS has dependencies on other software which are carefully inspected before being included in the system. Our regular updates provide security updates not only for the code and features developed by us, but also for all the dependencies used.
|06.01.2018||1.0||Goce Bonev||First document outlining the security features of ThinkCMS v5;|
|15.04.2018||1.1||Goce Bonev||More information added on general development practices, back office and user security, password security questions and password expiry;|
|16.06.2018||1.2||Goce Bonev||Information on the new global pepper for password security;|