yahoo-eng-team team mailing list archive

[Morgan Fainberg <morgan.fainberg@xxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Keystone uses sha512_crypt for password hashing. This is completely
insufficient and provides limited protection (even with 10,000 rounds)
against brute-forcing of the password hashes (especially with FPGAs
and/or GPU processing).

The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead
of sha512_crypt.

This bug is marked as public security as bug #1543048 has already
highlighted this issue.

** Affects: keystone
     Importance: Critical
     Assignee: Morgan Fainberg (mdrnstm)
         Status: Triaged

** Affects: ossa
     Importance: Undecided
         Status: Incomplete


** Tags: security

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pdkfd_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Triaged
Status in OpenStack Security Advisory:
  Incomplete

Bug description:
  Keystone uses sha512_crypt for password hashing. This is completely
  insufficient and provides limited protection (even with 10,000 rounds)
  against brute-forcing of the password hashes (especially with FPGAs
  and/or GPU processing).

  The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions