Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 7209:c1227f883177
Implement password hash testing using new roundup-admin perftest.
Add new anypy/time_.py to provide a suitable definition for
perf_counter for python2 or 3.
Also update examples in upgrading.txt, man page, new translatable
strings in locale.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 03 Mar 2023 17:37:44 -0500 |
| parents | 12a3cd86668f |
| children | 1f3418a3fd3e |
comparison
equal
deleted
inserted
replaced
| 7208:c9fa0ffb0f94 | 7209:c1227f883177 |
|---|---|
| 202 After the change users will still be able to log in using the | 202 After the change users will still be able to log in using the |
| 203 older 10000 round hashed passwords. If ``migrate_passwords`` is | 203 older 10000 round hashed passwords. If ``migrate_passwords`` is |
| 204 set to ``yes``, passwords will be automatically re-hashed using | 204 set to ``yes``, passwords will be automatically re-hashed using |
| 205 the new higher value when the user logs in. | 205 the new higher value when the user logs in. |
| 206 | 206 |
| 207 This re-hashing might result in a slight delay (under 1 | 207 Increasing the number of rounds will slow down re-hashing. That's the |
| 208 second). If you see a large slowdown, check to see if you can | 208 whole point. Sadly it will also slow down logins. Usually the hash |
| 209 execute:: | 209 takes under 1 second, but if you are using a slow chip (e.g. an ARM V6 |
| 210 at 700 bogo mips) it can take 30 seconds to compute the 2000000 | |
| 211 rounds. The slowdown is linear. So what takes .001 seconds at 10000 | |
| 212 rounds will take: ``2000000/10000 * .001 = 200 * .001`` seconds or 0.2 | |
| 213 seconds. | |
| 214 | |
| 215 You can see how long it will take by using the new ``roundup-admin`` | |
| 216 ``perftest`` command. After you have finished migrating your database, | |
| 217 run:: | |
| 218 | |
| 219 roundup-admin -i <tracker_home> perftest password rounds=10000 | |
| 220 | |
| 221 and then:: | |
| 222 | |
| 223 roundup-admin -i <tracker_home> perftest password rounds=2,000,000 | |
| 224 | |
| 225 so see the difference. Output from this command looks like:: | |
| 226 | |
| 227 Hash time: 0.203151849s scheme: PBKDF2 rounds: 10000 | |
| 228 | |
| 229 If your testing reports a hash time in the 0.5 second range for 10000 | |
| 230 rounds, there may be another issue. See if executing:: | |
| 210 | 231 |
| 211 python3 -c 'from hashlib import pbkdf2_hmac' | 232 python3 -c 'from hashlib import pbkdf2_hmac' |
| 212 | 233 |
| 213 without an error. | 234 produces an error. |
| 214 | 235 |
| 215 If you get an ImportError, you are using Roundup's fallback | 236 If you get an ImportError, you are using Roundup's fallback PBKDF2 |
| 216 PBKDF2 implementation. It is written in Python and is much slower | 237 implementation. It is much slower than the library version. As a |
| 217 than the library version. As a result re-encrypting the password | 238 result re-encrypting the password (and logging in, which requires |
| 218 (and logging in which requires calculating the encrypted | 239 calculating the encrypted password) will be very slow. |
| 219 password) will be very slow. | 240 |
| 220 | 241 You should find out how to make the import succeed. You may need to |
| 221 You should find out how to make this succeed. You may need to | |
| 222 install an OS vendor package or some other library. | 242 install an OS vendor package or some other library. |
| 223 | 243 |
| 224 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 | 244 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 |
| 225 | 245 |
| 226 Session/OTK data storage using Redis (optional) | 246 Session/OTK data storage using Redis (optional) |