Skip to content

Password hashers need some hardening #36

Open
Open
Password hashers need some hardening#36
Labels
enhancementNew feature or requesthelp wantedExtra attention is neededsecurityIssues related to the security of the code. PLEASE READ SECURITY POLICY BEFORE USING.
Milestone
Stage 1 - Chat Server
@tarkatronic

Description

@tarkatronic
tarkatronic
opened on Aug 6, 2020

Is your feature request related to a problem? Please describe.
Right now, although we use PBKDF2 with a SHA512 hash, we use a static salt and static iteration count. This makes things not quite as secure as they could/should be. We also can't easily increase the iteration count for future purposes.

Describe the solution you'd like
We need something more like what Django does: https://github.com/django/django/blob/136ec9b62bd0b105f281218d7cad54b7db7a4bab/django/contrib/auth/hashers.py#L247-L299

In the decode method you can see:

algorithm, iterations, salt, hash = encoded.split('$', 3)

This indicates that passwords are stored in the format:

pbdkf2_sha512$260000$random_string_for_salt$hashed_password

Currently, we only share the last part of that; the hashed_password.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is neededsecurityIssues related to the security of the code. PLEASE READ SECURITY POLICY BEFORE USING.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions