Flood-UI / flood

A web UI for rTorrent, qBittorrent and Transmission with a Node.js backend and React frontend. Migrate to v4: https://github.com/jesec/flood/wiki/Migrate-from-older-versions-of-Flood.
https://flood.js.org
GNU General Public License v3.0
1.81k stars 173 forks source link

Modernize hashing password algorithm #514

Closed noraj closed 7 years ago

noraj commented 7 years ago

Issue https://github.com/jfurrow/flood/issues/483 : bcrypt via node-gyp fails to compile on FreeBSD was closed because randomnonsense found a way to compile on FreeBSD but there is still the discussion about changing from bcrypt to a more modern and more secure hashing password algorithm like Argon2.

Here were some of my comments on from isse #483 :

https://github.com/jfurrow/flood/issues/483#issuecomment-338382112

TL;DR: please use Argon2 with libsodium for nodejs

Blowfish is a deprecated cipher, openssh removed support for it in last release because there are some well known collision attacks. Bcrypt is more robust than simple blowfish and is still acceptable for password hashing but it begins to be quite old and is based on blowfish which is outdated. The last Password Hashing Competition winner is Argon2, this is the best secure way to store your password.

Please stop using bcrypt because blowfish support will be removed everywhere in the future. Don't use SHA-512 raw it's no designed for password storage an is optimized for GPU.

SHA2 (sha-256, sha-512), SHA3 (black2, keccak) are optimized to be fast but Bcrypt, Scrypt, PBKDF2, Argon2 are designed to be slow in order to slow attacker for password hashing/storage!

It's not up to date for algorithm to use be here are some good practices : Salted Password Hashing - Doing it Right

please refer to this : How to Safely Store Your Users' Passwords in 2016, here anchor for nodejs.

I'm not a crypto expert just a cybersecurity engineer but my knowledge tell me that using the last winner of PHC is the best you can do.

PS : may be open a new issue to switch form bcrypt to argon2

https://github.com/jfurrow/flood/issues/483#issuecomment-338460908

TL;DR : PHD said Argon2, just use it.

@SanPilot Of course I read that, bcrypt is better than PBKDF2, the anwser say that bcrypt is optimally secure and has a flaw by design, the answer also say the algorithm is quite old (1999), the answer does'nt talk about Argon2 at all. The NIST document quoted is 2010. So I don't agree with you at all. Bcrypt not is but was the best password hashing algorithm. Now it's too old and blowfish not enough secure.

Argon2 was the winner of PHC in July 2015 but was already finished in March 2014. PHC winner mean that the algorithm was chosen and tested by all the best crypto expert of the world. Bcrypt is not only mature but also deprecated and crypto expert tell us to use Argon2 now. You also doesn't talk about scrypt, you can't say it's shiny new and not used, half of the crypto money use scrypt.

Argon2d implementation maximizes resistance to GPU cracking attacks, Argon2i is optimized to resist side-channel attacks, Argon2id is a hybrid version.

You need more crypto.stackexchange? Password hashing security of argon2 versus bcrypt/PBKDF2?

Here some saying bcrypt is the past, scrypt the present, and argon2 the future.

What people think on hacker news:

Quick answer: use Argon2i, unless you have very special needs.

Or another BCrypt vs PBKDF2 vs Argon2

[French] Si vous avez accès à une bonne implantation de Argon2, vous pouvez l'utiliser à la place de BCrypt.

https://github.com/jfurrow/flood/issues/483#issuecomment-338461684

@randomnonsense Not SHA512 but SHA512crypt (for password hashing). But as I already said SHA2 is a general use algorithm and was optimized for calculation so it is a lot easier to crack for attacker than algorithms specially created for password storage (Argon2, Bcrypt, ...) that was specially designed to be a nightmare to bruteforce. Here a detailed article explaining you why. Actually using SHA512crypt over Bcrypt is dropping the security.

When changing security you want to increase it not drop it. So the two candidate here are scrypt or argon2. Argon2 is the winner of PHC and has a node js wrapper: node-sodium or node-argon2. Note that libsoduim is a multi-algorithm lib, not only for argon2.

sachaw commented 7 years ago

argon2 ftw! although implementations are scarce it looks very promising, would be nice to see in flood! https://www.npmjs.com/package/argon2 https://stormpath.com/blog/secure-password-hashing-in-node-with-argon2

noraj commented 7 years ago

@sachaw It doesn't need many implementations if the existing ones are good 😄

randomnonsense commented 7 years ago

Sure, this is a good idea.

sachaw commented 7 years ago

@noraj1337 I was referring to native language implementations, but you are right.

jfurrow commented 7 years ago

@noraj1337 thanks for opening this issue! I'll work on implementing argon2 next.

jfurrow commented 7 years ago

I'd be thrilled if everyone in this thread could review my proposed implementation: https://github.com/jfurrow/flood/pull/523

noraj commented 7 years ago

@jfurrow Looks great for me (as a nodejs agnostic).