Issue 2551145
Created on 2021-06-25 04:00 by rouilj, last changed 2022-12-23 05:24 by rouilj.
Messages | |||
---|---|---|---|
msg7289 | Author: [hidden] (rouilj) | Date: 2021-06-25 04:00 | |
Time marches on and pbkdf2 isn't as resilient against GPU processors. Increasing the rounds will help but consider adding scrypt if the module (https://pypi.org/project/scrypt/) is available. At this time scrypt supports python 2.7 and 3.6+. Consider argon2 as well https://pypi.org/project/argon2-cffi/. Simiar language support to scrypt. ref: https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt- bcrypt-and-argon2-e25aaf41598e https://stackoverflow.com/questions/4433216/password-hashing-pbkdf2- using-sha512-x-1000-vs-bcrypt |
|||
msg7290 | Author: [hidden] (ced) | Date: 2021-06-25 07:34 | |
Maybe it make sense to use passlib [1] and make the hashing configurable. [1] https://pypi.org/project/passlib/ |
|||
msg7292 | Author: [hidden] (rouilj) | Date: 2021-06-25 13:42 | |
Hi Cedric: In message <1624606499.54.0.504109235365.issue2551145@roundup.psfhosted.org>, =?utf-8?q?C=C3=A9dric_Krier?= writes: >Maybe it make sense to use passlib [1] and make the hashing configurable. > >[1] https://pypi.org/project/passlib/ Nice find. Making hashing configurable doesn't require passlib. In general we chose the highest security implementation. Starting from plaintext, crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used internally. Upgrading occurred automatically as people logged in (if enabled). I think argon2 is preferred over scrypt. So the existing mechanism for choosing a hash function can be extended to cover these cases. Do you think it's necessary to allow the admin to explicitly choose between scrypt and argon2? We will never use 99% of passlib so I can't see making it a requirement. However if passlib is installed we should use its argon2 implementation. Thoughts? -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. |
|||
msg7293 | Author: [hidden] (ced) | Date: 2021-06-25 14:32 | |
On 2021-06-25 13:42, John Rouillard wrote: > Making hashing configurable doesn't require passlib. In general we > chose the highest security implementation. Starting from plaintext, > crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used > internally. Upgrading occurred automatically as people logged in (if > enabled). > > I think argon2 is preferred over scrypt. So the existing mechanism for > choosing a hash function can be extended to cover these cases. Do you > think it's necessary to allow the admin to explicitly choose between > scrypt and argon2? Indeed for me it is more about relying on external library. So you could have conservative defaults but user may use stronger algorithm if they want and when they want. > We will never use 99% of passlib so I can't see making it a > requirement. I guess this is because the internal mechanism to choose and update is already implemented. > However if passlib is installed we should use its argon2 > implementation. I do not think you should use passlib just to retrieve one hash algorithm. Indeed you could directly use the passlib dependency argon2. |
|||
msg7701 | Author: [hidden] (rouilj) | Date: 2022-12-23 05:24 | |
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html Provides some notes on upgrading older hashes. It points out that automatic hash upgrade can leave the account vulnerable if the old hashes get cracked. They suggest a password reset when rehashing/upgrade. Also what to do about accounts where users have not logged in. They suggest obsolete the passwords and require a password reset. Also scrypt is part of hashlib as of python 3.6. So maybe we could support scrypt from hashlib if available. I doubt anybody would want to go from python 3.6 to 2.7 (without built-in scrypt). The owasp linked above has minimum settings for for scrypt. But we should plan on allowing these to be stored with the passwords and changed. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-12-23 05:24:50 | rouilj | set | messages: + msg7701 |
2021-06-29 03:31:51 | rouilj | set | keywords: + Effort-Medium, StarterTicket |
2021-06-25 14:32:02 | ced | set | messages: + msg7293 |
2021-06-25 13:42:08 | rouilj | set | messages: + msg7292 |
2021-06-25 07:34:59 | ced | set | nosy:
+ ced messages: + msg7290 |
2021-06-25 04:00:43 | rouilj | create |