Open mjakubicek opened 4 years ago
No. Let me explain
chosen prefix collision attack that was discovered recently and the basic collision attack that was shown a couple of years ago do not have anything to do with password hashing - which is the only remaining thing that sha1 is now used for after e05d3cc83f962a8ecbd0a6241a4bf3bd69def867.
The real problem is that we do not use salts when creating passwords. Without any salt, anyone who gets access to users table can just look into freely available rainbow tables, sha1 or sha512 or most others.
If you add salt though, that even MD5 could be good enough: https://stackoverflow.com/a/2774744
But still, moving backwards would be silly. OTOH, sha256 was not designed for password hashing as it is fairly fast to calculate and paralelize. There are specialized hashing algorithms for password hashing that we should switch to if we really are gonna go away from sha1: for example bcrypt or newer argon2.
Hm...I'm not against using salt though I'm quite not worried about the fact that the admin can try cracking the password. I take it as an education problem: users should know that when they share a password with a site, it may become vulnerable (nobody actually enforces any hashing at all, so as a user, you cannot rely on that) if admins malfunction.
On SHA1: I know it's not urgent, but these kinds of things easily get stallen, so it's just better to get rid of it.
On SHA256: good point & noted, thanks.
Overall: it's been rather long time since my cryptography class at the university, and you are definitely more on top of things than me, so I happily leave this with you ;)
python to the rescue: secure password hashing with hashlib.pbkdf2_hmac in the standard library :)
The somewhat dated LTS versions of Ubuntu (16.04LTS) and Debian (stretch) are shipping with Python versions 3.6 and 3.5, respectively. So, maybe not using scrypt
might be a good idea (for the time being).
In any case,
SHA1 is no longer considered secure and should be replaced, e.g. with SHA256.
This is generally something that may happen again, so the users table should get an additional column "hashtype", with initially would be prefilled with "sha1" everywhere and all users would be migrated to "sha256" upon their next login.