Bug #431: Slow Hashing Algorithm for Passwords
| ID | #431 |
|---|---|
| Submitter | Cirras |
| Product | EOSERV |
| Severity | Feature Request |
| Status | OPEN, CONFIRMED |
| Submitted | 27th Sep 2016 |
| Updated | 26th Oct 2016 |
8 years, 13 weeks ago
A salted SHA-256 isn't really optimal for password hashing in a scenario where a bad actor has gotten a hold of your database and hashed passwords through SQL injection, a VPS break in (cough nice fake ID Andrewbob), or other means.
It would be nice if EOSERV came with the option for bcrypt or scrypt out of the box. These methods make bruteforcing the passwords a far less viable option because they're designed to be costlier in terms of performance.
Naturally, that's a good thing because it means it takes significantly longer for a hacker's machine(s) to bruteforce passwords - even if they have the means to do so without the throttling that EOSERV imposes by directly comparing with the database for a match on the hash.
Especially considering there have been at least 3 high-profile database leaks in this community, this might be a good one to look into.
Comments
8 years, 13 weeks ago
Sidenote: I haven't the foggiest idea how existing databases would be converted to a different hashing method, since SHA-256 isn't reversible.
(Th-thanks NSA?)
That would certainly be a logistical kink to work out.
8 years, 9 weeks ago
To migrate password schemes you can either build on top of the hash (e.g. kdf(sha256(pw))) or version the passwords and retain support for all previous versions (when someone with a version 1, i.e. sha256 password logs in, they get their password upgraded to version 2 since it's available in plain-text at that moment).
Big reason this isn't done already is because EOSERV is single-threaded and doesn't have a work queue plus an easy way to defer execution of the login handler.
Updated Status to CONFIRMED
Add Comment
Please don't post unless you have something relevant to the bug to say.
Do not comment to say "thanks" or "fix this please".
Please log in to add comments. EOSERV Bug Tracker > Bug #431: Slow Hashing Algorithm for Passwords