Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password hashers need some hardening #36

Open
tarkatronic opened this issue Aug 6, 2020 · 0 comments
Open

Password hashers need some hardening #36

tarkatronic opened this issue Aug 6, 2020 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed security Issues related to the security of the code. PLEASE READ SECURITY POLICY BEFORE USING.
Milestone
Stage 1 - Chat Se...

Comments

@tarkatronic
Copy link
Member

tarkatronic commented Aug 6, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
Right now, although we use PBKDF2 with a SHA512 hash, we use a static salt and static iteration count. This makes things not quite as secure as they could/should be. We also can't easily increase the iteration count for future purposes.

Describe the solution you'd like
We need something more like what Django does: https://github.com/django/django/blob/136ec9b62bd0b105f281218d7cad54b7db7a4bab/django/contrib/auth/hashers.py#L247-L299

In the decode method you can see:

algorithm, iterations, salt, hash = encoded.split('$', 3)

This indicates that passwords are stored in the format:

pbdkf2_sha512$260000$random_string_for_salt$hashed_password

Currently, we only share the last part of that; the hashed_password.
@tarkatronic tarkatronic added enhancement New feature or request help wanted Extra attention is needed security Issues related to the security of the code. PLEASE READ SECURITY POLICY BEFORE USING. labels Aug 6, 2020
@tarkatronic tarkatronic added this to the Stage 1 - Chat Server milestone Aug 6, 2020
@tarkatronic tarkatronic mentioned this issue Feb 9, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed security Issues related to the security of the code. PLEASE READ SECURITY POLICY BEFORE USING.
Projects
None yet
Milestone
Stage 1 - Chat Server
Development

No branches or pull requests
1 participant
@tarkatronic