Feature #12855: GUI option to select the user password hashing algorithm - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.07 Plus - All Closed Issues
24.07 Plus - All Open Issues
24.07 Plus - Feedback Issues
24.07 Plus - Needs Attention/Work
24.07 Plus - New/Confirmed/In Progress Issues
24.07 Plus - Pull Request Review
24.07 Plus - Waiting on Merge
24.07 Target - All Closed Issues
24.07 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Feature #12855

closed

GUI option to select the user password hashing algorithm

Added by Jim Pingle about 2 years ago. Updated about 2 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Authentication

Target version:

2.7.0

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.05

Release Notes:

Default

Description

Different scenarios may call for different types of password hashing so it makes sense to give users the choice rather than only having a single default method.

We should offer a choice between at least the following hashes:

bcrypt (Default) for higher security
SHA-512 with the default number of rounds for compatibility/compliance/performance

Though we could offer a higher number of rounds with SHA512, the number of rounds must be identical when hashing and checking the hash so it is not compatible with hashes made with the default number of rounds. There could maybe be a separate/isolated "high rounds" SHA-512 option but that may be more confusing as it would require treating it as a completely separate hash type with its own uniquely named tag and so on.

We already have code in place to check these hash types, so the necessary changes should be fairly simple:

Add a UI element to pick the hash type on system_usermanager_settings.php
Add code to check the value of this setting before creating a hash of a user password
Ensure the code cleans up other hash types when making a new hash

Related issues

Related to Todo #10298: Use SHA-512 for user password hashes

Resolved

Viktor Gurov

02/27/2020

Actions

Related to Bug #12800: Suboptimal Password Hashing

Closed

Jim Pingle

Actions

Issue # Delay: days Cancel

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Jim Pingle about 2 years ago

Related to Todo #10298: Use SHA-512 for user password hashes added
Related to Bug #12800: Suboptimal Password Hashing added

Actions

Copy link

Updated by Royce Williams about 2 years ago

Jim Pingle wrote:

Though we could offer a higher number of rounds with SHA512, the number of rounds must be identical when hashing and checking the hash so it is not compatible with hashes made with the default number of rounds.

For what it's worth, both bcrypt and sha512crypt are designed to expect their variable work factors to be programmatically available to, and detected and used by, the authentication layer - for work factors to not be hard-coded on the authentication side (other than as default values at hash creation time only).

In other words, a given set of hashes should be able to contain an arbitrary mix of rounds, which are then automatically used as part of hash validation on a hash-by-hash basis. This allows for transparent forward and backward compatibility over time.

For example, if future hardware speeds make it attractive to change the bcrypt default from 10 to 12, then when all new hashes can be created with cost 12, all legacy cost 10 bcrypt hashes should also continue to Just Work.

Edit: interested readers may not be aware that sha512crypt has a "silent" default of 5000 rounds, and only when that value is overridden does the number of rounds explicitly appear in the hash:

$ mkpasswd -m SHA-512 -S $(tr -dc '[:alnum:]./' < /dev/urandom | fold -w ${1:-16} | head -n 1)
Password: 
$6$5XxpqcgR.YyEC9mk$9oeQAUShRn7ZhnmlOGihguD0QI5Mi2wvm5bs1RpfFteMCPoDSQ/vEBsES0hfoV9anwn3SAVEsT97Ha84L7g2v/

$ mkpasswd -m SHA-512 -S $(tr -dc '[:alnum:]./' < /dev/urandom | fold -w ${1:-16} | head -n 1) -R 5000
Password: 
$6$rounds=5000$6R37T0WdXN3MC3Hd$T9Ze7R6ZZHuw9WGNTM838.LmJOUpZ1kTCifMk0AGNqnDzQSEEqRWWt/8vr5mWgS2ZP7HyvRZ/D6JLFr1Ck6l4/

$ mkpasswd -m SHA-512 -S $(tr -dc '[:alnum:]./' < /dev/urandom | fold -w ${1:-16} | head -n 1) -R 800000
Password: 
$6$rounds=800000$GAuO13spo1MJYChS$jtB8CbJu2vKIwIljcDP/YLKKII5r6jhX/9kJrZbmPrsFDG0.D8IETRUIvaf9KEp7H91yj/vOG3tBKLtw2QO/z.

Actions

Copy link

Updated by Jim Pingle about 2 years ago

Status changed from In Progress to Pull Request Review

Internal MR for initial testing/review: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/636

Actions

Copy link

Updated by Jim Pingle about 2 years ago

Status changed from Pull Request Review to Feedback
% Done changed from 0 to 100

Applied in changeset 8ddf2b5a999772754080825f07acf9b6326f1f04.

Actions

Copy link

Updated by Jim Pingle about 2 years ago

This has been merged and will be in snapshots soon.

For those who would like to try it out, even on 22.01/2.6.0, install the System Patches package and then create entries for 961f240c18f8421b0a28ee192ffa041e754e8f8e and then 8ddf2b5a999772754080825f07acf9b6326f1f04 to apply the fix.

Apply 961f240c18f8421b0a28ee192ffa041e754e8f8e first followed by 8ddf2b5a999772754080825f07acf9b6326f1f04

Actions

Copy link

Updated by Jim Pingle about 2 years ago

Status changed from Feedback to Resolved

This is working well. I've also added it as a recommended patch option in the new system patches package, so people on 22.01 and 2.6.0 have an easy way to obtain the change without waiting for the next release or adding a patch entry by hand.

Actions

Copy link

Updated by Jim Pingle about 2 years ago

Subject changed from Allow the user to choose password hashing method to GUI option to select the user password hashing algorithm

Updating subject for release notes.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #12855

GUI option to select the user password hashing algorithm

Updated by Jim Pingle about 2 years ago

Updated by Royce Williams about 2 years ago

Updated by Jim Pingle about 2 years ago

Updated by Jim Pingle about 2 years ago

Updated by Jim Pingle about 2 years ago

Updated by Jim Pingle about 2 years ago

Updated by Jim Pingle about 2 years ago