Roundup Tracker - Issues

Message7737

Author rouilj
Recipients rouilj
Date 2023-02-28.21:01:04
Message-id <1677618064.51.0.00174804525473.issue2551253@roundup.psfhosted.org>
In-reply-to
The keylen should be increased to the digest length of 64 for SHA512.

Multiple refs but:

  https://security.stackexchange.com/questions/110084/parameters-for-pbkdf2-for-password-
hashing

The output looks like,

  
{PBKDF2S5}2000000$n/Ut1zX1XWdsi38jhMs6gnDUKFU$BPG9ubjHv9jlGEhWTwDe1wB7OWKRZdnb2lVogm9UgIjVCu4g
oQOmiugO.5rPU1Q..SEqMpbnd21R9fLWagpv2A

it has a length of 132 chars which can be stored in the db w/o issue.
Note that 2 millions rounds is excessive for PBDKF2-SHA512. As I write this,
the recommended is 210,000 but we have room to grow.

Committed changes in rev da751d3a2138.

Note that it is not the default. To make it the default, you need to add this code to
the tracker's interfaces.py:

from roundup.password import Password
# force password with scheme PBDFK2 to get re-hashed
Password.deprecated_schemes.insert(0, Password.known_schemes[0])
# choose PBDFK2S5 as the scheme to use for reshashing.
Password.default_scheme = Password.experimental_schemes[0]

After some discussion/feedback, I'll see if this SHA512 version should be the default,
if PBDKF2-SHA1 should be migrated etc.

Also need to change the note in CHANGES.txt that references this ticket when I close it
and possibly add to upgrading.txt.
History
Date User Action Args
2023-02-28 21:01:04rouiljsetmessageid: <1677618064.51.0.00174804525473.issue2551253@roundup.psfhosted.org>
2023-02-28 21:01:04rouiljsetrecipients: + rouilj
2023-02-28 21:01:04rouiljlinkissue2551253 messages
2023-02-28 21:01:04rouiljcreate