Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 8239:6bd11a73f2ed
issue2551253. default hash is PBKDF2-SHA512.
The default password hashing algorithm has been upgraded to
PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
config file has been changed to 250000.
Doc updated.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 30 Dec 2024 02:57:46 -0500 |
| parents | 57325fea9982 |
| children | 2a7c3eeaf167 |
comparison
equal
deleted
inserted
replaced
| 8238:05405220dc38 | 8239:6bd11a73f2ed |
|---|---|
| 156 + | 156 + |
| 157 # make sure none of the alts are owned by anyone other than us (x!=nodeid) | 157 # make sure none of the alts are owned by anyone other than us (x!=nodeid) |
| 158 | 158 |
| 159 add the lines marked with ``+`` in the file in the location after | 159 add the lines marked with ``+`` in the file in the location after |
| 160 check_main is assigned. | 160 check_main is assigned. |
| 161 | |
| 162 Modify config.ini password_pbkdf2_default_rounds setting (recommended) | |
| 163 ---------------------------------------------------------------------- | |
| 164 | |
| 165 The method for hashing and storing passwords has been updated to use | |
| 166 PBKDF2 with SHA512 hash. This change was first introduced in Roundup | |
| 167 2.3 and is now the standard. If you previously added code in | |
| 168 interfaces.py for a `PBKDF2 upgrade`_ to enable PBKDF2S5, you can | |
| 169 remove that code now. | |
| 170 | |
| 171 SHA512 is a more secure hash, it requires fewer rounds to ensure | |
| 172 safety. The older PBKDF2-SHA1 needed around 2 million rounds. | |
| 173 | |
| 174 You should update the ``password_pbkdf2_default_rounds`` setting in | |
| 175 ``config.ini`` to 250000. This value is higher than the OWASP | |
| 176 recommendation of 210000 from three years ago. If you don’t make this | |
| 177 change, logins will be slow, especially for REST or XMLRPC calls. | |
| 178 | |
| 179 See `PBKDF2 upgrade`_ for details on how to test the algorithm's | |
| 180 speed. We do not recommend reverting to the older SHA1 PBKDF2. If you | |
| 181 have to do so due to a slow CPU, you can add the following to your | |
| 182 tracker's ``interfaces.py``:: | |
| 183 | |
| 184 from roundup.password import Password | |
| 185 ## Use PBDKF2 (PBKDF2-SHA1) as default hash for passwords. | |
| 186 # That scheme is at the start of the deprecated_schemes list and ha | |
| 187 # to be removed. | |
| 188 Password.default_scheme = Password.deprecated_schemes.pop(0) | |
| 189 # Add PBKDF2S5 (PBKDF2-SHA512) as a valid scheme. Passwords | |
| 190 # using it will be rehashed to use PBDKF2. | |
| 191 Password.experimental_schemes[0] = "PBKDF2S5" | |
| 192 | |
| 193 If you proceed with this, you should set | |
| 194 ``password_pbkdf2_default_rounds`` to 2 million or more rounds to keep | |
| 195 your hashed password database secure in case it gets stolen. | |
| 161 | 196 |
| 162 Defusedxml support improves XMLRPC security (optional) | 197 Defusedxml support improves XMLRPC security (optional) |
| 163 ------------------------------------------------------ | 198 ------------------------------------------------------ |
| 164 | 199 |
| 165 This release adds support for the defusedxml_ module. If it is | 200 This release adds support for the defusedxml_ module. If it is |
| 1290 You should find out how to make the import succeed. You may need to | 1325 You should find out how to make the import succeed. You may need to |
| 1291 install an OS vendor package or some other library. | 1326 install an OS vendor package or some other library. |
| 1292 | 1327 |
| 1293 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 | 1328 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 |
| 1294 | 1329 |
| 1330 .. _PBKDF2 upgrade: | |
| 1331 | |
| 1295 Upgrade to PBKDF2-SHA512 from current PBKDF2-SHA1 (recommended) | 1332 Upgrade to PBKDF2-SHA512 from current PBKDF2-SHA1 (recommended) |
| 1296 --------------------------------------------------------------- | 1333 --------------------------------------------------------------- |
| 1297 | 1334 |
| 1298 We recommend that you upgrade to using PBKDF2-SHA512 for hashing your | 1335 We recommend that you upgrade to using PBKDF2-SHA512 for hashing your |
| 1299 passwords. This is a more secure method than the old PBKDF2 (with | 1336 passwords. This is a more secure method than the old PBKDF2 (with |