Roundup Tracker - Issues

Issue 2551251

classification
re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds.
Type: security Severity: normal
Components: Database Versions:
process
Status: new
:
: : rouilj
Priority: : Blocker, Effort-Low, StarterTicket

Created on 2022-12-23 03:36 by rouilj, last changed 2023-01-22 20:01 by rouilj.

Messages
msg7697 Author: [hidden] (rouilj) Date: 2022-12-23 03:36
If the admin changes password_pbkdf2_default_rounds in config.ini, the encrypted password
is not updated to the new count when they login to the web interface.

This case should be handled as though an insecure password encryption was used and 
migrate_passwords is set to yes.


It looks like this can be done by making password.py:Password::needs_migration
check the number of rounds is < password_pbkdf2_default_rounds. Also change signature
of needs_migration to accept config argument so method can check against the
password_pbkdf2_default_rounds setting.
msg7698 Author: [hidden] (rouilj) Date: 2022-12-23 03:38
See also issue 2551145 for replacing PBKDF2 if argon2 or scrypt auxillary modules are available.
History
Date User Action Args
2023-01-22 20:01:20rouiljsettitle: re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different number of rounds. -> re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds.
2022-12-23 03:38:58rouiljsetkeywords: + Blocker, StarterTicket
messages: + msg7698
2022-12-23 03:36:34rouiljcreate