[Openstack-security] [Bug 1668503] Re: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing
Morgan Fainberg
morgan.fainberg at gmail.com
Tue Feb 28 05:24:37 UTC 2017
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1668503
Title:
sha512_crypt is insufficient, use pdkfd_sha512 for password hashing
Status in OpenStack Identity (keystone):
Triaged
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Keystone uses sha512_crypt for password hashing. This is completely
insufficient and provides limited protection (even with 10,000 rounds)
against brute-forcing of the password hashes (especially with FPGAs
and/or GPU processing).
The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512
instead of sha512_crypt.
This bug is marked as public security as bug #1543048 has already
highlighted this issue.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
More information about the Openstack-security
mailing list