Roundup Tracker - Issues

Message7701

Author rouilj
Recipients ced, rouilj
Date 2022-12-23.05:24:50
Message-id <1671773090.68.0.232970185025.issue2551145@roundup.psfhosted.org>
In-reply-to 
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Provides some notes on upgrading older hashes. It points out that automatic hash
upgrade can leave the account vulnerable if the old hashes get cracked. They suggest
a password reset when rehashing/upgrade.

Also what to do about accounts where users have not logged in. They suggest obsolete the
passwords and require a password reset.

Also scrypt is part of hashlib as of python 3.6. So maybe we could support scrypt from
hashlib if available. I doubt anybody would want to go from python 3.6 to 2.7
(without built-in scrypt). The owasp linked above has minimum settings for for scrypt.
But we should plan on allowing these to be stored with the passwords and changed.
History
Date User Action Args
2022-12-23 05:24:50rouiljsetmessageid: <1671773090.68.0.232970185025.issue2551145@roundup.psfhosted.org>
2022-12-23 05:24:50rouiljsetrecipients: + rouilj, ced
2022-12-23 05:24:50rouiljlinkissue2551145 messages
2022-12-23 05:24:50rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020