use passlib, remove weak hashes

Issue #766 resolved
Thomas Waldmann created an issue

passlib is a nice and well written library to create and verify password hashes (also has some other nice functionality related to random bytes/strings, password generator, etc.). most stuff in it is pure python, so no compiler needed for installing it (one exception is if you want to use bcrypt, then it has some dependencies that have parts in C).

the point why it should be used is that such code can easily be done wrong if you are not a crypto expert (and most of us are not). if you do it wrong, you might have a security issue in your own code / in installations of it and also you are potentially exposing user passwords in case someone gets direct access to the password hashes you created/stored and they are too easy to crack. This can be a legitimate user or admin having access to the hashes or some illegal break-in into such a system (due to some different security issue in some software running on that system).

While the current rhodecode code uses bcrypt (which is considered safe) on e.g. Linux, it uses a plain unsalted sha256 hash on Windows. With some modern GPUs and special software, you can brute force more than a billion (10^9) sha256 hashes PER SECOND on a single graphics card.


For all systems, rhodecode does not use a constant-time comparison function to compare the hashes, but just a plain "==". This might be a target for timing attacks.

If you additionally consider that many users don't use different passwords on different systems, there might be quite a big impact in case most of the passwords can quickly get brute forced. How fast a pw can get brute forced depends on the GPU speed, the password length and complexity. But: what was considered a safe password some years ago might be a weak one nowadays.

I recently (after having security breaches on some moin installations) implemented usage of passlib for MoinMoin 1.9 and 2.0, some advice:

  • sha512_crypt seems to be safe and does not need binary stuff or other dependencies, it might be even rather fast to check as it uses C code already present on some platforms
  • pbkdf2 is also there, slower on some platforms?
  • bcrypt is also there, but binary dependencies
  • passlib api is quite stable, one can easily make code compatible even to older passlib versions (might be relevant for packaging on e.g. linux)
  • due to bug fixes and enhancements, it is advisable to use latest passlib release, though
  • you need to actively get rid of ALL unsafe old hashes at once, do a global password invalidation and force users to re-enter a NEW password and store it using the safe algorithm (this likely should get into the docs for admins of rhodecode installations)
  • do not rely on users logging in sooner or later and then upgrading the unsafe hash to the safe one. some users might rarely or never ever log in again, but you don't want to keep the unsafe hashes in your storage forever.
  • ADDITIONALLY upgrade password hashes on login also (this is also needed e.g. if you change passlib params later)

Comments (1)

  1. Log in to comment