Roundup Tracker - Issues


Author rouilj
Recipients rouilj
Date 2022-12-23.05:01:18
Message-id <>
We use SHA1 with PBKDF2 for hashing passwords. This requires 720,000 rounds/iterations.

Using sha512 the recommended number of rounds (setting: password_pbkdf2_default_rounds)
is 120,000 according to:

Also OWASP suggests deprecating sha1 for sha512.

The roundup database stored password entry looks like:




In the rdbms databases (backends/ and backends/back_*), the password
class is defined as varchar(255). I think this should allow enough space for a sha512
digest and the auxiliary fields as the digest size of sha1 is 20 and of sha512 is 64.
If we multiply the encoded digest length of 28 by 4 (since 4 * 20 > 64) I expect
the new encoded digest for sha512 to be less than 112. The rest of the fields consume
44 characters. So the total is 156 < 256. We can even add a few more bytes to
change the label {PBKDF2} to {PBKDF2-512} to mark the new format if needed.

It looks like the stored entry is using a form of the modular PHC string format

Also there are some magic numbers in the code. keylen = 20 not sure why or if it should
be changed. This seems to just be the default value for the digest length of the
underlying hash function but I am not sure if they should be changed to use the
digest length or not.
Date User Action Args
2022-12-23 05:01:18rouiljsetrecipients: + rouilj
2022-12-23 05:01:18rouiljsetmessageid: <>
2022-12-23 05:01:18rouiljlinkissue2551253 messages
2022-12-23 05:01:18rouiljcreate