Actions
Todo #10298
closedUse SHA-512 for user password hashes
Start date:
02/27/2020
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
22.01
Release Notes:
Description
function local_user_set_password() from auth.inc,
for now uses password_hash($password, PASSWORD_BCRYPT) function to create user password hash
from https://www.php.net/manual/en/function.password-hash.php:
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, or FALSE on failure.
Is it possible to use CNSA-compatible hashing for this operation?
From https://apps.nsa.gov/iaarchive/programs/iad-initiatives/cnsa-suite.cfm:
Use SHA-384 to protect up to TOP SECRET. ( http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf )
Using hash() ?
https://stackoverflow.com/questions/6431918/php-sha256-and-salt-wont-work
Related issues
Updated by Brad Davis over 3 years ago
- Assignee set to Viktor Gurov
Can you implement this and switch to SHA-512?
Updated by Jim Pingle over 3 years ago
- Target version changed from 64 to 2.6.0
- Plus Target Version set to 21.09
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Jim Pingle over 3 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset a38556ffba0f8d6cf3f61bd7469ebbb922fd3f64.
Updated by Jim Pingle over 3 years ago
- Tracker changed from Feature to Todo
- Subject changed from Use CNSA-compliant algo to hash user password to Use SHA-512 for user password hashes
Updating subject and tracker for release notes.
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Resolved
Working as expected.
- New users get SHA-512 password only.
- Existing users get SHA-512 when their password is changed, old formats are removed.
- Users can login OK either way, it uses whichever format is present on the account (SHA-512, bcrypt, etc).
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Viktor Gurov almost 3 years ago
- Related to Bug #12800: Suboptimal Password Hashing added
Updated by Jim Pingle almost 3 years ago
- Related to Feature #12855: GUI option to select the user password hashing algorithm added
Actions