Closed alpha-centauri closed 8 years ago
@alpha-centauri The password secret isn't being used to hash user passwords.
See https://github.com/Graylog2/graylog2-server/blob/2.0.2/graylog2-server/src/main/java/org/graylog2/security/hashing/BCryptPasswordAlgorithm.java for the actual password hashing algorithm being used.
Problem description
The password secret / pepper (password_secret in graylog.conf) seems to have no effect. After changing its value, it is still possible to authenticate as a local user whose password had been hashed with the old password secret.
Steps to reproduce the problem
Result: Authentication for that user still works. Actually, it is expected to fail because the password hash should be different when using a different password secret.
Environment