Issue 2551251: re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds. - Roundup tracker

classification

Title:	re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds.
Type:	security	Severity:	normal
Components:	Database	Versions:

process

Status:	fixed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	rouilj	Nosy List:	rouilj
Priority:		Keywords:	Blocker, Effort-Low, StarterTicket

Created on 2022-12-23 03:36 by rouilj, last changed 2023-02-24 00:35 by rouilj.

Messages
msg7697	Author: [hidden] (rouilj)	Date: 2022-12-23 03:36
If the admin changes password_pbkdf2_default_rounds in config.ini, the encrypted password is not updated to the new count when they login to the web interface. This case should be handled as though an insecure password encryption was used and migrate_passwords is set to yes. It looks like this can be done by making password.py:Password::needs_migration check the number of rounds is < password_pbkdf2_default_rounds. Also change signature of needs_migration to accept config argument so method can check against the password_pbkdf2_default_rounds setting.
msg7698	Author: [hidden] (rouilj)	Date: 2022-12-23 03:38
See also issue 2551145 for replacing PBKDF2 if argon2 or scrypt auxillary modules are available.
msg7733	Author: [hidden] (rouilj)	Date: 2023-02-24 00:35
Fixed in rev cfdcaf8b5936.

History
Date	User	Action	Args
2023-02-24 00:35:07	rouilj	set	status: new -> fixed assignee: rouilj resolution: fixed messages: + msg7733
2023-01-22 20:01:20	rouilj	set	title: re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different number of rounds. -> re-encrypt PBKDF2 password with password_pbkdf2_default_rounds if prior password used a different smaller) number of rounds.
2022-12-23 03:38:58	rouilj	set	keywords: + Blocker, StarterTicket messages: + msg7698
2022-12-23 03:36:34	rouilj	create