search

elexis-eu / lexonomy

A cloud-based, open-source system for writing and publishing dictionaries.
http://www.lexonomy.eu/
MIT License
86 stars 29 forks source link

replace sha1 #198

Open mjakubicek opened 4 years ago

mjakubicek commented 4 years ago

SHA1 is no longer considered secure and should be replaced, e.g. with SHA256.

This is generally something that may happen again, so the users table should get an additional column "hashtype", with initially would be prefilled with "sha1" everywhere and all users would be migrated to "sha256" upon their next login.

gareins commented 4 years ago

No. Let me explain

chosen prefix collision attack that was discovered recently and the basic collision attack that was shown a couple of years ago do not have anything to do with password hashing - which is the only remaining thing that sha1 is now used for after e05d3cc83f962a8ecbd0a6241a4bf3bd69def867.

The real problem is that we do not use salts when creating passwords. Without any salt, anyone who gets access to users table can just look into freely available rainbow tables, sha1 or sha512 or most others.

If you add salt though, that even MD5 could be good enough: https://stackoverflow.com/a/2774744

But still, moving backwards would be silly. OTOH, sha256 was not designed for password hashing as it is fairly fast to calculate and paralelize. There are specialized hashing algorithms for password hashing that we should switch to if we really are gonna go away from sha1: for example bcrypt or newer argon2.

mjakubicek commented 4 years ago

Hm...I'm not against using salt though I'm quite not worried about the fact that the admin can try cracking the password. I take it as an education problem: users should know that when they share a password with a site, it may become vulnerable (nobody actually enforces any hashing at all, so as a user, you cannot rely on that) if admins malfunction.

On SHA1: I know it's not urgent, but these kinds of things easily get stallen, so it's just better to get rid of it.

On SHA256: good point & noted, thanks.

Overall: it's been rather long time since my cryptography class at the university, and you are definitely more on top of things than me, so I happily leave this with you ;)

iiegn commented 4 years ago

python to the rescue: secure password hashing with hashlib.pbkdf2_hmac in the standard library :)

The somewhat dated LTS versions of Ubuntu (16.04LTS) and Debian (stretch) are shipping with Python versions 3.6 and 3.5, respectively. So, maybe not using scrypt might be a good idea (for the time being).

In any case,