On 04/10/2017 08:12 AM, Andrew Shadura wrote:
Yes, pbkdf2 sounds good. I was thinking about that too, but I thought
choosing a specific hash needs more research.
I agree. The theory could be that someone did that research and decided
on pbkdf2 and got it mainlined. That makes it a better choice than the
bcrypt module.
This approach has a downside: users will continue to use SHA256 until
they
change their password, so if the database leaks, attackers may check
(unsalted) hashes against known popular password hashes.
I guess we automatically could migrate the crypted password to the new
algorithm every time we see a password using the old algorithm. We can
thus "soon" deprecate sha256 completely.
I'm not sure what you mean. Do you mean migrating the passwords as they
are changed (something similar to what I proposed)? Because as we store
only hashes, we don't have a way to re-hash passwords using a different
algorithm.
I mean migrating passwords as they are checked. At that point, we
temporarily do have the cleartext password and can re-hash.
Well, indeed, as different hashes look differently, we don't risk really
the hash to match when it shouldn't. And even though checking the hash
takes slightly more time it's not something we can't afford.
Yeah, especially as we move everybody to one new algorithm. The fastest
path will the common one.
/Mads
_______________________________________________
kallithea-general mailing list
[email protected]
https://lists.sfconservancy.org/mailman/listinfo/kallithea-general
