[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Morgan Fainberg morgan.fainberg at gmail.com
Tue Aug 15 14:48:41 UTC 2017 

** or to whichever hash is configured if not default.

On Aug 15, 2017 07:48, "Morgan Fainberg" <morgan.fainberg at gmail.com>
wrote:

> All new/updated/changes passwords (after upgrade) would be bcrypt hashed,
> old passwords remain sha512_crypt. An operator may want to force password
> changes.
>
> On Aug 15, 2017 00:11, "Luke Hinds" <lhinds at redhat.com> wrote:
>
>> Couple of Q's...
>>
>> For the OSSN what would the 'recommended actions' be to update to Pike?
>>
>> Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
>> pbkdf2_sha512, or would passwords need to be regenerated (thinking in
>> this instance of an operator upgrading from a previous release to Pike)
>> ?
>>
>> ** Changed in: ossn
>>      Assignee: (unassigned) => Luke Hinds (lhinds)
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> Matching subscriptions: Private security bugs
>> https://bugs.launchpad.net/bugs/1668503
>>
>> Title:
>>   sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
>>
>> Status in OpenStack Identity (keystone):
>>   Fix Released
>> Status in OpenStack Identity (keystone) mitaka series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) newton series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) ocata series:
>>   Won't Fix
>> Status in OpenStack Identity (keystone) pike series:
>>   Fix Released
>> Status in OpenStack Security Advisory:
>>   Won't Fix
>> Status in OpenStack Security Notes:
>>   New
>>
>> Bug description:
>>   Keystone uses sha512_crypt for password hashing. This is insufficient
>>   and provides limited protection (even with 10,000 rounds) against
>>   brute-forcing of the password hashes (especially with FPGAs and/or GPU
>>   processing).
>>
>>   The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
>>   instead of sha512_crypt.
>>
>>   This bug is marked as public security as bug #1543048 has already
>>   highlighted this issue.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
>>
>

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Won't Fix
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Won't Fix
Status in OpenStack Identity (keystone) pike series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  Keystone uses sha512_crypt for password hashing. This is insufficient
  and provides limited protection (even with 10,000 rounds) against
  brute-forcing of the password hashes (especially with FPGAs and/or GPU
  processing).

  The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions

More information about the Openstack-security mailing list