yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1668503] Re: sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Tue, 15 Aug 2017 04:03:05 -0000
Reply-to: Bug 1668503 <1668503@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Adding OSSN task based on comment #3

** Also affects: ossn
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1668503

Title:
  sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing

Status in OpenStack Identity (keystone):
  Fix Released
Status in OpenStack Identity (keystone) mitaka series:
  Won't Fix
Status in OpenStack Identity (keystone) newton series:
  Won't Fix
Status in OpenStack Identity (keystone) ocata series:
  Won't Fix
Status in OpenStack Identity (keystone) pike series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack Security Notes:
  New

Bug description:
  Keystone uses sha512_crypt for password hashing. This is insufficient
  and provides limited protection (even with 10,000 rounds) against
  brute-forcing of the password hashes (especially with FPGAs and/or GPU
  processing).

  The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
  instead of sha512_crypt.

  This bug is marked as public security as bug #1543048 has already
  highlighted this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions

References

[Bug 1668503] [NEW] sha512_crypt is insufficient, use pdkfd_sha512 for password hashing
From: Morgan Fainberg, 2017-02-28