[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Morgan Fainberg morgan.fainberg at gmail.com
Tue Aug 15 14:48:07 UTC 2017 

All new/updated/changes passwords (after upgrade) would be bcrypt hashed,
old passwords remain sha512_crypt. An operator may want to force password
changes.

On Aug 15, 2017 00:11, "Luke Hinds" <lhinds at redhat.com> wrote:

> Couple of Q's...
>
> For the OSSN what would the 'recommended actions' be to update to Pike?
>
> Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
> pbkdf2_sha512, or would passwords need to be regenerated (thinking in
> this instance of an operator upgrading from a previous release to Pike)
> ?
>
> ** Changed in: ossn
>      Assignee: (unassigned) => Luke Hinds (lhinds)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1668503
>
> Title:
>   sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
>
> Status in OpenStack Identity (keystone):
>   Fix Released
> Status in OpenStack Identity (keystone) mitaka series:
>   Won't Fix
> Status in OpenStack Identity (keystone) newton series:
>   Won't Fix
> Status in OpenStack Identity (keystone) ocata series:
>   Won't Fix
> Status in OpenStack Identity (keystone) pike series:
>   Fix Released
> Status in OpenStack Security Advisory:
>   Won't Fix
> Status in OpenStack Security Notes:
>   New
>
> Bug description:
>   Keystone uses sha512_crypt for password hashing. This is insufficient
>   and provides limited protection (even with 10,000 rounds) against
>   brute-forcing of the password hashes (especially with FPGAs and/or GPU
>   processing).
>
>   The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
>   instead of sha512_crypt.
>
>   This bug is marked as public security as bug #1543048 has already
>   highlighted this issue.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
>

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Won't Fix
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Won't Fix
Status in OpenStack Identity (keystone) pike series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  Keystone uses sha512_crypt for password hashing. This is insufficient
  and provides limited protection (even with 10,000 rounds) against
  brute-forcing of the password hashes (especially with FPGAs and/or GPU
  processing).

  The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions

More information about the Openstack-security mailing list