[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
Luke Hinds
lhinds at redhat.com
Tue Aug 15 06:57:36 UTC 2017
Couple of Q's...
For the OSSN what would the 'recommended actions' be to update to Pike?
Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
pbkdf2_sha512, or would passwords need to be regenerated (thinking in
this instance of an operator upgrading from a previous release to Pike)
?
** Changed in: ossn
Assignee: (unassigned) => Luke Hinds (lhinds)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503
Title:
sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) mitaka series:
Won't Fix
Status in OpenStack Identity (keystone) newton series:
Won't Fix
Status in OpenStack Identity (keystone) ocata series:
Won't Fix
Status in OpenStack Identity (keystone) pike series:
Fix Released
Status in OpenStack Security Advisory:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
Keystone uses sha512_crypt for password hashing. This is insufficient
and provides limited protection (even with 10,000 rounds) against
brute-forcing of the password hashes (especially with FPGAs and/or GPU
processing).
The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
instead of sha512_crypt.
This bug is marked as public security as bug #1543048 has already
highlighted this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
More information about the Openstack-security
mailing list