sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing
Bug #1668503 reported by
Morgan Fainberg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Morgan Fainberg | ||
Mitaka |
Won't Fix
|
Undecided
|
Unassigned | ||
Newton |
Won't Fix
|
Undecided
|
Unassigned | ||
Ocata |
Won't Fix
|
Undecided
|
Unassigned | ||
Pike |
Fix Released
|
High
|
Morgan Fainberg | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Luke Hinds |
Bug Description
Keystone uses sha512_crypt for password hashing. This is insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing).
The correct mechanism is to use bcrypt, scrypt, or pbkdf2_sha512 instead of sha512_crypt.
This bug is marked as public security as bug #1543048 has already highlighted this issue.
Changed in keystone: | |
importance: | Critical → High |
description: | updated |
summary: |
- sha512_crypt is insufficient, use pdkfd_sha512 for password hashing + sha512_crypt is insufficient, use pbkdf2_sha512 for password hashing |
description: | updated |
Changed in keystone: | |
assignee: | Morgan Fainberg (mdrnstm) → Gage Hugo (gagehugo) |
Changed in ossn: | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in ossn: | |
status: | In Progress → Fix Committed |
Changed in ossn: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.