Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 7166:1549c7e74ef8
issue2551251 - migrate pbkdf2 passwords ... test fixes and doc update
Fixed a couple of tests where calls to needs_migration() was missing
its config parameter.
Documented need to update config.ini's password_pbkdf2_default_rounds.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 24 Feb 2023 23:47:28 -0500 |
| parents | 89a59e46b3af |
| children | 12a3cd86668f |
comparison
equal
deleted
inserted
replaced
| 7165:970cd6d2b8ea | 7166:1549c7e74ef8 |
|---|---|
| 176 all their changes and log out of Roundup before the upgrade | 176 all their changes and log out of Roundup before the upgrade |
| 177 is done to minimize confusion. Because the data is | 177 is done to minimize confusion. Because the data is |
| 178 ephemeral, there is no plan to migrate this data to the new | 178 ephemeral, there is no plan to migrate this data to the new |
| 179 SQLite databases. If you want to keep using the data set the | 179 SQLite databases. If you want to keep using the data set the |
| 180 ``sessiondb`` ``backend`` option as described above. | 180 ``sessiondb`` ``backend`` option as described above. |
| 181 | |
| 182 Update ``config.ini``'s ``password_pbkdf2_default_rounds`` (required) | |
| 183 --------------------------------------------------------------------- | |
| 184 | |
| 185 Roundup hashes passwords using PBKDF2 with SHA1. PBKDF2 has a | |
| 186 parameter that makes hashing a password more difficult to do. | |
| 187 The original 10000 value was set years ago. It has not been | |
| 188 updated for advancements in computing power. | |
| 189 | |
| 190 This release of Roundup changes the value to 2000000 (2 | |
| 191 million). This exceeds the current `recommended setting of | |
| 192 1,300,000`_ for PBKDF2 when used with SHA1. | |
| 193 | |
| 194 After the change users will still be able to log in using the | |
| 195 older 10000 round hashed passwords. If ``migrate_passwords`` is | |
| 196 set to ``yes``, passwords will be automatically re-hashed using | |
| 197 the new higher value when the user logs in. | |
| 198 | |
| 199 This re-hashing might result in a slight delay (under 1 | |
| 200 second). If you see a large slowdown, check to see if you can | |
| 201 execute:: | |
| 202 | |
| 203 python3 -c 'from hashlib import pbkdf2_hmac' | |
| 204 | |
| 205 without an error. | |
| 206 | |
| 207 If you get an ImportError, you are using Roundup's fallback | |
| 208 PBKDF2 implementation. It is written in Python and is much slower | |
| 209 than the library version. As a result re-encrypting the password | |
| 210 (and logging in which requires calculating the encrypted | |
| 211 password) will be very slow. | |
| 212 | |
| 213 You should find out how to make this succeed. You may need to | |
| 214 install an OS vendor package or some other library. | |
| 215 | |
| 216 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 | |
| 181 | 217 |
| 182 Session/OTK data storage using Redis (optional) | 218 Session/OTK data storage using Redis (optional) |
| 183 ----------------------------------------------- | 219 ----------------------------------------------- |
| 184 | 220 |
| 185 You can store your ephemeral data in a Redis database. This | 221 You can store your ephemeral data in a Redis database. This |