osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing


I also apologize if I didn't make it clear it was pbkdf still with
sha512, just that sha512_crypt (even pbkdf) is not sufficient for
applications (e.g. exposing your shadow file on linux *is* still a
compromise). The implication is that there is significantly more surface
area for Keystone to deal with than a system shadow file, therefore we
should be using bcrypt, scrypt, or at *least* pbkdf2 instead of
sha512_crypt.

tl;dr I may have also missed on communicating sha512_crypt is pbkdf
rather than bare sha512 hashing.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Won't Fix
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Won't Fix
Status in OpenStack Identity (keystone) pike series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Keystone uses sha512_crypt for password hashing. This is insufficient
  and provides limited protection (even with 10,000 rounds) against
  brute-forcing of the password hashes (especially with FPGAs and/or GPU
  processing).

  The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions