Project

General

Profile

Actions

Todo #10298

closed

Use SHA-512 for user password hashes

Added by Viktor Gurov about 2 years ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
02/27/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:

Description

function local_user_set_password() from auth.inc,
for now uses password_hash($password, PASSWORD_BCRYPT) function to create user password hash
from https://www.php.net/manual/en/function.password-hash.php:

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. 
This will produce a standard crypt() compatible hash using the "$2y$" identifier. 
The result will always be a 60 character string, or FALSE on failure.

Is it possible to use CNSA-compatible hashing for this operation?
From https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm:
Use SHA-384 to protect up to TOP SECRET. ( http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf )

Using hash() ?
https://stackoverflow.com/questions/6431918/php-sha256-and-salt-wont-work


Related issues

Related to Bug #12800: Suboptimal Password HashingClosedJim Pingle

Actions
Related to Feature #12855: GUI option to select the user password hashing algorithmResolvedJim Pingle

Actions
Actions #1

Updated by Brad Davis 10 months ago

  • Assignee set to Viktor Gurov

Can you implement this and switch to SHA-512?

Actions #2

Updated by Brad Davis 10 months ago

  • Target version set to 64

(SHA-512 so it matches FreeBSD)

Actions #3

Updated by Jim Pingle 10 months ago

  • Target version changed from 64 to 2.6.0
  • Plus Target Version set to 21.09
Actions #5

Updated by Jim Pingle 10 months ago

  • Status changed from New to Pull Request Review
Actions #6

Updated by Jim Pingle 9 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #7

Updated by Jim Pingle 9 months ago

  • Tracker changed from Feature to Todo
  • Subject changed from Use CNSA-compliant algo to hash user password to Use SHA-512 for user password hashes

Updating subject and tracker for release notes.

Actions #8

Updated by Jim Pingle 8 months ago

  • Status changed from Feedback to Resolved

Working as expected.

  • New users get SHA-512 password only.
  • Existing users get SHA-512 when their password is changed, old formats are removed.
  • Users can login OK either way, it uses whichever format is present on the account (SHA-512, bcrypt, etc).
Actions #9

Updated by Jim Pingle 7 months ago

  • Plus Target Version changed from 21.09 to 22.01
Actions #10

Updated by Viktor Gurov 3 months ago

  • Related to Bug #12800: Suboptimal Password Hashing added
Actions #11

Updated by Jim Pingle 3 months ago

  • Related to Feature #12855: GUI option to select the user password hashing algorithm added
Actions

Also available in: Atom PDF