[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

OpenStack Infra 1668503 at bugs.launchpad.net
Fri Jun 2 12:20:50 UTC 2017 

Reviewed:  https://review.openstack.org/438701
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=8ad765e0230ceeb5ca7c36ec3ed6d25c57b22c9d
Submitter: Jenkins
Branch:    master

commit 8ad765e0230ceeb5ca7c36ec3ed6d25c57b22c9d
Author: Morgan Fainberg <morgan.fainberg at gmail.com>
Date:   Mon Feb 27 13:06:07 2017 -0800

    Support new hashing algorithms for securely storing password hashes
    
    Support bcrypt, pbkdf2_sha512, or scrypt in password hashing for
    passwords managed within keystone. sha512_crypt is insufficient to
    hash passwords in a secure way for storage in the DB. Keystone defaults
    now to using bcrypt but can handle scrypt and pbkdf2_sha512 with a number
    of tuning options if desired.
    
    Closes-bug: #1543048
    Closes-bug: #1668503
    Change-Id: Id05026720839d94de26d0e44631deb34bcc0e610


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Won't Fix
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Won't Fix
Status in OpenStack Identity (keystone) pike series:
  Fix Released
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Keystone uses sha512_crypt for password hashing. This is insufficient
  and provides limited protection (even with 10,000 rounds) against
  brute-forcing of the password hashes (especially with FPGAs and/or GPU
  processing).

  The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions

More information about the Openstack-security mailing list