Comment 9 for bug 1668503

All new/updated/changes passwords (after upgrade) would be bcrypt hashed,
old passwords remain sha512_crypt. An operator may want to force password
changes.

On Aug 15, 2017 00:11, "Luke Hinds" <email address hidden> wrote:

> Couple of Q's...
>
> For the OSSN what would the 'recommended actions' be to update to Pike?
>
> Is it a seamless crossover going from sha512_crypt to bcrypt, scrypt, or
> pbkdf2_sha512, or would passwords need to be regenerated (thinking in
> this instance of an operator upgrading from a previous release to Pike)
> ?
>
> ** Changed in: ossn
> Assignee: (unassigned) => Luke Hinds (lhinds)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Matching subscriptions: Private security bugs
> https://bugs.launchpad.net/bugs/1668503
>
> Title:
> sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
>
> Status in OpenStack Identity (keystone):
> Fix Released
> Status in OpenStack Identity (keystone) mitaka series:
> Won't Fix
> Status in OpenStack Identity (keystone) newton series:
> Won't Fix
> Status in OpenStack Identity (keystone) ocata series:
> Won't Fix
> Status in OpenStack Identity (keystone) pike series:
> Fix Released
> Status in OpenStack Security Advisory:
> Won't Fix
> Status in OpenStack Security Notes:
> New
>
> Bug description:
> Keystone uses sha512_crypt for password hashing. This is insufficient
> and provides limited protection (even with 10,000 rounds) against
> brute-forcing of the password hashes (especially with FPGAs and/or GPU
> processing).
>
> The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512
> instead of sha512_crypt.
>
> This bug is marked as public security as bug #1543048 has already
> highlighted this issue.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions
>