On Wed, Feb 5, 2014 at 1:03 PM, Brion Vibber bvibber@wikimedia.org wrote:
Offhand I'd say "use bcrypt", but from http://us3.php.net/password_hash --
"*Caution*
Using the *PASSWORD_BCRYPT* for the *algo* parameter, will result in the *password* parameter being truncated to a maximum length of 72 characters. This is only a concern if are using the same salt to hash strings with this algorithm that are over 72 bytes in length, as this will result in those hashes being identical."
Is the 72-byte truncation a general bcrypt problem or specific to password_hash()? Any concerns or a non-issue? Note that some non-Latin strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most passwords, but some people like passphrases. :)
It's an issue with bcrypt itself (only uses 18 32 bit keys). Good point.
-- brion
On Wed, Feb 5, 2014 at 12:53 PM, Chris Steipp csteipp@wikimedia.org wrote:
Hi all, I wanted to bikeshed just a little bit, to make sure there is
some
consensus.
tl;dr We're upgrading the password hash used to store passwords to make offline cracking more difficult. In doing that, we need to set one of the options as default. Speak up if you have strong feelings about one over
the
other.
Along with refactoring how passwords are stored and checked, https://gerrit.wikimedia.org/r/#/c/77645 implements two strong hashing algorithms PBKDF2 [1] and bcrypt [2]. I added a followup commit to add in the algorithm that Tim came up with in 2010 using Whirlpool as a hash function [3].
For any of these, there is a maintenance script to wrap current passwords with one of the strong ones, so we can upgrade the whole database without interaction from the users. It's also simple to upgrade the work factor
or
change to a new algorithm, if we decide that is needed in the future. But for the actual default...
Bcrypt is probably the most common option for password storage in webapps that I see. PHP 5.5 uses it as the default for the new password_hash() function. The only issue is that PHP before 5.3.7 had a flaw in their implementation which resulted in weak hashes. If we set bcrypt as
default,
we would want to raise the minimum php version to 5.3.7 (it's currently 5.3.2) for MediaWIki 1.23.
PBKDF2 is an RSA standard and is included in PHP 5.5. Tyler did an implementation in the patch to make it backwards compatible. The only downside to it is the connection to RSA, who may have knowingly standardized weak algorithms, although the security properties of PBKDF2 are fairly well studied and haven't been called into question.
The Whirlpool algorithm by Tim would force password cracking software to
do
a custom implementation for our hashes. It has very similar work effort
to
bcrypt, and should keep our passwords as safe as using bcrypt. The theory behind it seems good, but obviously, we might discover a gaping hole in
it
at some point.
Is there any strong preference among these options? My personal vote is
for
bcrypt, if bumping the php version doesn't seem like a big deal to everyone.
[1] - https://en.wikipedia.org/wiki/PBKDF2 [2] - https://en.wikipedia.org/wiki/Bcrypt [3] - http://www.mail-archive.com/wikitech-l@lists.wikimedia.org/msg08830.html _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l