[Openstack-security] [Bug 1543048] [NEW] support alternative password hashing in keystone
Morgan Fainberg
morgan.fainberg at gmail.com
Mon Feb 8 10:25:02 UTC 2016
Public bug reported:
Once upon a time there was bug #862730 recommending that alternative
password hashing be supported which was closed as invalid since hashing
became base-line feature of Keystone's passwords. It would be generally
beneficial to support at the very least the passlib implementation of
bcrypt as an alternative to strictly sha512 based password hashing.
Ideally this should also take into account the relatively new player
scrypt.
NIST has standardized (afaict) on the SHA-2 based hashing, which should
remain the default. Architecture that will support some different
password hashing made available at least through passlib will make
keystone better in the long term, allowing for operators to determine
more than just the SHA-2 based cost.
The proposal is as follows:
* Allow selected support of different password hashing algorithms from
with passlib architecturally
* Expand to support bcrypt
* Deprecate the "crypt_strength" option in favor of identifying the
cost when selecting the password hashing algorithm such as:
sha512::10000 or bcrypt::12
* Keep the default the same as today
* Identify the password hash based upon the algorithm used, no
identifier = sha512 (this might not be required)
* Add "py-bcrypt" or similar "preferred" backend(s) to extras in
setup.cfg
** Affects: keystone
Importance: Wishlist
Status: New
** Tags: password security
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1543048
Title:
support alternative password hashing in keystone
Status in OpenStack Identity (keystone):
New
Bug description:
Once upon a time there was bug #862730 recommending that alternative
password hashing be supported which was closed as invalid since
hashing became base-line feature of Keystone's passwords. It would be
generally beneficial to support at the very least the passlib
implementation of bcrypt as an alternative to strictly sha512 based
password hashing. Ideally this should also take into account the
relatively new player scrypt.
NIST has standardized (afaict) on the SHA-2 based hashing, which
should remain the default. Architecture that will support some
different password hashing made available at least through passlib
will make keystone better in the long term, allowing for operators to
determine more than just the SHA-2 based cost.
The proposal is as follows:
* Allow selected support of different password hashing algorithms
from with passlib architecturally
* Expand to support bcrypt
* Deprecate the "crypt_strength" option in favor of identifying the
cost when selecting the password hashing algorithm such as:
sha512::10000 or bcrypt::12
* Keep the default the same as today
* Identify the password hash based upon the algorithm used, no
identifier = sha512 (this might not be required)
* Add "py-bcrypt" or similar "preferred" backend(s) to extras in
setup.cfg
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1543048/+subscriptions
More information about the Openstack-security
mailing list