wy8881 / voting Goto Github PK

Which file can I change to fix vulnerabilities? In SecurityConfiguration.java ?

When I tried to run VotingApplication.java, It shows:

There is a similar problem in Stack Overflow:
https://stackoverflow.com/questions/74648576/spring-class-file-has-wrong-version-61-0-should-be-55-0

Maybe we can find a solution and/or add this to D. Common Issues.

Issue Description

Currently, our project's database stores user passwords without implementing a salting process. This approach poses several security risks which could compromise user data. I'd like to highlight the importance of adding a unique salt to each password before hashing and storing them.

Risks of Not Salting Passwords

1. Vulnerability to Rainbow Table Attacks: Without salting, the same passwords across different accounts generate identical hash values. This consistency makes our system susceptible to rainbow table attacks, where precomputed hash tables are used to reverse-engineer passwords.

2. Password Reuse Risk: In our current setup, if two users have the same password, their hash values in the database will also be the same. Consequently, if one account's password is compromised, it jeopardizes any account with a matching password hash.

3. Simplicity in Cracking Common Passwords: Unsalted passwords, especially those that are common or simple, can be easily cracked using dictionary attacks, as their hash values are predictable and often precomputed.

Proposed Solution

To mitigate these risks, I propose the implementation of a salting mechanism. This involves generating a unique, random salt for each user's password. The salt is then concatenated with the password before hashing. This process ensures that even identical passwords will produce unique hash values, significantly enhancing our system's security against various types of password-related attacks.

Expected Benefits

1. Increased Security Against Precomputed Hash Attacks: Salting passwords makes precomputed hash attacks, like rainbow tables, ineffective.
2. Protection Against Password Reuse Attacks: Unique salts ensure that identical passwords generate different hash values, securing accounts even in cases of password reuse.
3. Resilience Against Dictionary Attacks: Adding random salts to passwords before hashing makes it impractical to use dictionary attacks, as it would require generating a new set of precomputed hashes for each user.

I believe addressing this issue should be a priority to ensure the security of our users' data. Implementing salting will be a significant step towards strengthening our application's overall security posture.

I'm not sure if it is working or not?

https://github.com/wy8881/voting/blob/c249c7e6c24ed50f996ac489c23bc21171fa36be/src/main/java/com/example/voting/configuration/SecurityConfiguration.java#L76C31-L76C31