Roundup Tracker - Issues

Issue 2551145

classification
consider adding scrypt or argon2 for password hashing to replace pbkdf2
Type: security Severity: normal
Components: Database Versions:
process
Status: new
:
: : ced, rouilj
Priority: : Effort-Medium, StarterTicket

Created on 2021-06-25 04:00 by rouilj, last changed 2022-12-23 05:24 by rouilj.

Messages
msg7289 Author: [hidden] (rouilj) Date: 2021-06-25 04:00
Time marches on and pbkdf2 isn't as resilient against GPU processors.
Increasing the rounds will help but consider adding scrypt if the
module (https://pypi.org/project/scrypt/) is available.

At this time scrypt supports python 2.7 and 3.6+.

Consider argon2 as well https://pypi.org/project/argon2-cffi/. Simiar 
language support to scrypt.

ref:
https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt-
bcrypt-and-argon2-e25aaf41598e
https://stackoverflow.com/questions/4433216/password-hashing-pbkdf2-
using-sha512-x-1000-vs-bcrypt
msg7290 Author: [hidden] (ced) Date: 2021-06-25 07:34
Maybe it make sense to use passlib [1] and make the hashing configurable.

[1] https://pypi.org/project/passlib/
msg7292 Author: [hidden] (rouilj) Date: 2021-06-25 13:42
Hi Cedric:

In message
<1624606499.54.0.504109235365.issue2551145@roundup.psfhosted.org>,
=?utf-8?q?C=C3=A9dric_Krier?= writes:
>Maybe it make sense to use passlib [1] and make the hashing configurable.
>
>[1] https://pypi.org/project/passlib/

Nice find.

Making hashing configurable doesn't require passlib. In general we
chose the highest security implementation. Starting from plaintext,
crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
internally. Upgrading occurred automatically as people logged in (if
enabled).

I think argon2 is preferred over scrypt. So the existing mechanism for
choosing a hash function can be extended to cover these cases. Do you
think it's necessary to allow the admin to explicitly choose between
scrypt and argon2?

We will never use 99% of passlib so I can't see making it a
requirement. However if passlib is installed we should use its argon2
implementation.

Thoughts?

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
msg7293 Author: [hidden] (ced) Date: 2021-06-25 14:32
On 2021-06-25 13:42, John Rouillard wrote:
> Making hashing configurable doesn't require passlib. In general we
> chose the highest security implementation. Starting from plaintext,
> crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
> internally. Upgrading occurred automatically as people logged in (if
> enabled).
> 
> I think argon2 is preferred over scrypt. So the existing mechanism for
> choosing a hash function can be extended to cover these cases. Do you
> think it's necessary to allow the admin to explicitly choose between
> scrypt and argon2?

Indeed for me it is more about relying on external library.
So you could have conservative defaults but user may use stronger
algorithm if they want and when they want.

> We will never use 99% of passlib so I can't see making it a
> requirement.

I guess this is because the internal mechanism to choose and update is
already implemented.

> However if passlib is installed we should use its argon2
> implementation.

I do not think you should use passlib just to retrieve one hash
algorithm. Indeed you could directly use the passlib dependency argon2.
msg7701 Author: [hidden] (rouilj) Date: 2022-12-23 05:24
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Provides some notes on upgrading older hashes. It points out that automatic hash
upgrade can leave the account vulnerable if the old hashes get cracked. They suggest
a password reset when rehashing/upgrade.

Also what to do about accounts where users have not logged in. They suggest obsolete the
passwords and require a password reset.

Also scrypt is part of hashlib as of python 3.6. So maybe we could support scrypt from
hashlib if available. I doubt anybody would want to go from python 3.6 to 2.7
(without built-in scrypt). The owasp linked above has minimum settings for for scrypt.
But we should plan on allowing these to be stored with the passwords and changed.
History
Date User Action Args
2022-12-23 05:24:50rouiljsetmessages: + msg7701
2021-06-29 03:31:51rouiljsetkeywords: + Effort-Medium, StarterTicket
2021-06-25 14:32:02cedsetmessages: + msg7293
2021-06-25 13:42:08rouiljsetmessages: + msg7292
2021-06-25 07:34:59cedsetnosy: + ced
messages: + msg7290
2021-06-25 04:00:43rouiljcreate