Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password hash funciton #13

Open
mbrooks-stachliu opened this issue May 29, 2013 · 2 comments
Open

Password hash funciton #13

mbrooks-stachliu opened this issue May 29, 2013 · 2 comments

Comments

@mbrooks-stachliu
Copy link

There is a vulnerability related to how passwords are stored. It is referred to as CWE-916: Use of Password Hash With Insufficient Computational Effort:
http://cwe.mitre.org/data/definitions/916.html

On line 59 the generate_password_hash() method is used without specifying a password hash function:
https://github.com/scotch/engineauth/blob/master/engineauth/strategies/password.py

This will default to sha1:
http://webapp-improved.appspot.com/_modules/webapp2_extras/security.html#generate_password_hash

hashlib supports sha256, which is better than sha1 for passwords, however still not suitable. Ideally you want to a heavy KDF funciton such as bcrypt or scrypt.

This is a good read on bcrypt for passwords:
http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/6415

I will also file bug with webapp2.
@kylefinley
Copy link
Member

@mbrooks-stachliu,

Sorry of the late response.

Your absolutely right; EngineAuth should be using a more secure strategy. It's been some time since I've look into it but at the time bcrypt, scrypt were not included in the python app engine environment and a pure python implementation woud be to processor-intensive to be useful.

According the this answer PBKDF2 or SHA-512-Crypt might be a viable solution.

Would you be interested in working on this?

@mbrooks-stachliu
Copy link
Author

Conceptually this is a pretty easy fix. It is just a drop in replacement of a function call. However it should be noted that this version is not backwards compatible with previous versions.

Also use bcrypt, I think that’s the best of the three.

From: Kyle Finley [mailto:[email protected]]
Sent: Friday, June 14, 2013 1:19 PM
To: scotch/engineauth
Cc: Michael Brooks
Subject: Re: [engineauth] Password hash funciton (#13)

@mbrooks-stachliuhttps://github.com/mbrooks-stachliu,

Sorry of the late response.

Your absolutely right; EngineAuth should be using a more secure strategy. It's been some time since I've look into it but at the time bcrypt, scrypt were not included in the python app engine environment and a pure python implementation woud be to processor-intensive to be useful.

According the this answerhttp://stackoverflow.com/a/7029369/236564 PBKDF2 or SHA-512-Crypt might be a viable solution.

Would you be interested in working on this?


Reply to this email directly or view it on GitHubhttps://github.com//issues/13#issuecomment-19479334.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kylefinley @mbrooks-stachliu