Issue 2551251
Created on 2022-12-23 03:36 by rouilj, last changed 2023-02-24 00:35 by rouilj.
msg7697 |
Author: [hidden] (rouilj) |
Date: 2022-12-23 03:36 |
|
If the admin changes password_pbkdf2_default_rounds in config.ini, the encrypted password
is not updated to the new count when they login to the web interface.
This case should be handled as though an insecure password encryption was used and
migrate_passwords is set to yes.
It looks like this can be done by making password.py:Password::needs_migration
check the number of rounds is < password_pbkdf2_default_rounds. Also change signature
of needs_migration to accept config argument so method can check against the
password_pbkdf2_default_rounds setting.
|
msg7698 |
Author: [hidden] (rouilj) |
Date: 2022-12-23 03:38 |
|
See also issue 2551145 for replacing PBKDF2 if argon2 or scrypt auxillary modules are available.
|
msg7733 |
Author: [hidden] (rouilj) |
Date: 2023-02-24 00:35 |
|
Fixed in rev cfdcaf8b5936.
|
|
Date |
User |
Action |
Args |
2023-02-24 00:35:07 | rouilj | set | status: new -> fixed assignee: rouilj resolution: fixed messages:
+ msg7733 |
2023-01-22 20:01:20 | rouilj | set | title: re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different number of rounds. -> re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds. |
2022-12-23 03:38:58 | rouilj | set | keywords:
+ Blocker, StarterTicket messages:
+ msg7698 |
2022-12-23 03:36:34 | rouilj | create | |
|