*** This bug is a security vulnerability ***
Public security bug reported:
Keystone uses sha512_crypt for password hashing. This is completely
insufficient and provides limited protection (even with 10,000 rounds)
against brute-forcing of the password hashes (especially with FPGAs
and/or GPU processing).
The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead
of sha512_crypt.
This bug is marked as public security as bug #1543048 has already
highlighted this issue.
** Affects: keystone
Importance: Critical
Assignee: Morgan Fainberg (mdrnstm)
Status: Triaged
** Affects: ossa
Importance: Undecided
Status: Incomplete
** Tags: security
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1668503
Title:
sha512_crypt is insufficient, use pdkfd_sha512 for password hashing
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Keystone uses sha512_crypt for password hashing. This is completely
insufficient and provides limited protection (even with 10,000 rounds)
against brute-forcing of the password hashes (especially with FPGAs
and/or GPU processing).
The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512
instead of sha512_crypt.
This bug is marked as public security as bug #1543048 has already
highlighted this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
