[Openstack-security] [Bug 1668503] Change abandoned on keystone (master)
Change abandoned by Morgan Fainberg (morgan.fainberg at gmail.com) on branch: master
Reason: Abandoning, no backports needed can go with a more comprehensive fix
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
Status in OpenStack Identity (keystone):
Status in OpenStack Identity (keystone) mitaka series:
Status in OpenStack Identity (keystone) newton series:
Status in OpenStack Identity (keystone) ocata series:
Status in OpenStack Identity (keystone) pike series:
Status in OpenStack Security Advisory:
Keystone uses sha512_crypt for password hashing. This is insufficient
and provides limited protection (even with 10,000 rounds) against
brute-forcing of the password hashes (especially with FPGAs and/or GPU
The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
instead of sha512_crypt.
This bug is marked as public security as bug #1543048 has already
highlighted this issue.
To manage notifications about this bug go to: