opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.39k stars 757 forks source link

Upgrade local password hashing algorithm from Bcrypt to Argon2id #7605

Closed oittaa closed 5 months ago

oittaa commented 5 months ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

While Bcrypt is still a good password hashing algorithm, people have brought up minor issues like truncating the password to the first 72 bytes. Argon2, the winner of The Password Hashing Competition, uses BLAKE2b hash function internally and is probably the most modern and secure password hashing algorithm at the moment. Argon2id is the current recommendation by OWASP.

Describe the solution you like

I think every instance of password_verify will continue to work as expected, but the only instance of password_hash needs to be updated. The default cost options should be fine (m=65536,t=4,p=1) since they are slightly above the OWASP recommendations.

https://github.com/opnsense/core/blob/93304298abf4dc48a47766b2fa30729489ec6db8/src/etc/inc/auth.inc#L474

to

        $hash = password_hash($password, PASSWORD_ARGON2ID);

Describe alternatives you considered

Continue to use Bcrypt which is fine at the moment, but at some point in the future it might make sense to consider memory-hard algorithms.

Additional context

RFC 9106 recommends using the Argon2id variant. OpenSSL also added the Argon2i and Argon2id algorithms recently. https://www.openssl.org/docs/manmaster/man7/EVP_KDF-ARGON2.html https://en.wikipedia.org/wiki/Argon2

fichtner commented 5 months ago

I don’t know. Neither is compliant (the option is SHA-512 I think) and bcrypt is still very good. Note the hash is also used for the unix account. I don’t think if it supports argon at the moment there.

We are updating bcrypt rounds as needed to increase compute time.

oittaa commented 5 months ago

Ok, if it's used in the unix account then there might be issues. I'm not a FreeBSD user myself so I don't know if Argon2 is supported or not.

oittaa commented 5 months ago

Made a quick searches and here are the results:

FreeBSD tools like crypt don't support Argon2 natively in the passwd-file. https://man.freebsd.org/cgi/man.cgi?query=crypt&sektion=3&apropos=0&manpath=FreeBSD+14.1-RELEASE+and+Ports

Interestingly NetBSD seems to have implemented it. https://man.netbsd.org/passwd.conf.5

I'll close this issue since Argon2 wouldn't work with the shell tools and so on. The idea might still be worth revisiting in the future if memory-hardness becomes more desirable and FreeBSD starts supporting Argon2 natively.