Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: change password hashing from pbkdf2 to bcrypt #5859

Closed
EpicCoder opened this issue Jan 26, 2019 · 4 comments
Closed

Suggestion: change password hashing from pbkdf2 to bcrypt #5859

EpicCoder opened this issue Jan 26, 2019 · 4 comments
Labels
type/enhancement An improvement of existing functionality type/proposal The new feature has not been accepted yet but needs to be discussed first.
Milestone
1.10.0

Comments

@EpicCoder
Copy link
Contributor

EpicCoder commented Jan 26, 2019
edited
Loading

Last week I migrated from GitLab to gitea but had problems with the password hashes. GitLab uses 'bcrypt' and gitea uses 'pbkdf2' so I needed to modify gitea to work with 'bcrypt' and now it works fine.

Today I read that GitHub also uses 'bcrypt' for password hashing, so I think it would maybe better to move to 'bcrypt' so it's easier to migrate between different platforms.
@techknowlogick techknowlogick added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Feb 2, 2019
@lunny lunny added the type/enhancement An improvement of existing functionality label Feb 6, 2019
@lunny
Copy link
Member

lunny commented Feb 6, 2019

For a compatible implementation, we can add a config option to define hash functions. Default is pbkdf2 and you can use bcrypt.

@lunny
Copy link
Member

lunny commented Feb 6, 2019

@EpicCoder could you send a PR to do that?

@EpicCoder
Copy link
Contributor Author

The config option is a good idea. Yes I will working on this and send a PR soon

@d-Pixie
Copy link

d-Pixie commented Feb 6, 2019

If you are going to do this I would suggest moving beyond bcrypt as well and add options for scrypt and argon2 as well.

Short on the different algorithms:
PBKDF2 - still the recommendation from NIST but can be meaningfully accelerated on GPU hardware.
bcrypt - proven (1999) technology that uses iteration count and sizable memory requirements to prevent GPU acceleration, can still be meaningfully accelerated on FPGAs.
scrypt - newer (2009) technology that allows implementer to tweak both memory block size and iteration count. Has proven to be weaker than bcrypt IF the memory block size is too small. If you have a system that doesn't need to handle many login attempts per minute, and can hence up the memory block size requirement to something like 256Mb, it is vastly harder to accelerate on FPGAs than bcrypt - but only for now.
argon2 - new technology that won the password hashing algorithm contest a few years back and has already been subjected to several evaluations from cryptography experts (leading to some tweaks in the algorithm). On paper it is the current best choice, but might have some hidden weakness yet to be found.

Choice is always good and these are all good choices depending on what situation you are in. A password hash that specifies the algorithm and config for it is a great idea and would allow one to change on the fly when the circumstances change.

@lunny lunny added this to the 1.10.0 milestone Jul 7, 2019
jeffliu27 pushed a commit to jeffliu27/gitea that referenced this issue Jul 18, 2019
@EpicCoder @jeffliu27
Add additional password hash algorithms (closes go-gitea#5859) (go-gi…
f6f0266 
…tea#6023)
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/enhancement An improvement of existing functionality type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
1.10.0
Development

No branches or pull requests
4 participants
@lunny @techknowlogick @d-Pixie @EpicCoder