Switch to Argon2 for password hashing #3353
Conversation
|
Does this have some impact on CGImap? |
|
Possibly if it does password validation, which I guess it must? |
|
Yes, definitely, I needs to validate passwords independent of what's going on in the Rails port. |
|
Yes the code in https://github.com/zerebubuth/openstreetmap-cgimap/blob/master/src/basicauth.cpp is affected. |
|
I would like to propose two changes for a halfway sane implementation on the CGImap side:
|
tomhughes
added
changes requested
|
I'm happy to switch algorithms. The main thing I wanted to check is how this would impact (postively or not) on migrating to use Devise to take care of these sorts of things for us. They don't currently use argon2 for password hashing (they use bcrypt), but I found that they have a plugin system for their password encryptors, and someone else has written a devise-argon2 gem. So as far as I can tell, if/when we move to devise we could write our own custom encryptor, in order to handle all the fallbacks and whatever arguments we are passing to argon2. Although, ideally, I would let someone upstream worry about password algorithms for us. Talking of fallbacks, I know that we support silent upgrades of old password hashes. Is there merit in limiting how far back we do this, from the perspective of code simplicity and maintainability? I don't think it would be too bad to say if you haven't logged in at some point over the last X (e.g. 10?) years then you need to reset your password. |
|
Well the risk is that the older the account the more likely somebody no longer has access to the email, although they may well still know the password. There is some discussion at https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes where the suggestion is that ideally you would expire old insecure passwords and force a reset while also noting that it may cause an increased support load. |
|
As suggested by @mmd-osm I have updated this drop the pepper support. As to the second request the ruby bindings are actually fixed at |
tomhughes
removed
work-in-progress
|
I did a quick survey of the historic passwords - the results are:
Based on that I suspect we could reasonable wipe the passwords for the first two groups and certainly for the first group - anybody in those groups hasn't logged in or changed their password in eight years. |
|
Can we somehow deploy this to the dev instance? To merge the cgimap pull request, libargon2-dev would need to be installed on the dev instance first. I added argon2 as a hard dependency for now. No worries, I will include the additional dependency as a breaking change in the release notes - but it would still be an annoyance for some people out there. |
|
I've setup https://argon2.apis.dev.openstreetmap.org/ with both the web site and cgimap branches. |
|
Thanks! I tested Basic auth in JOSM, and this still appears to be working fine. I cannot test an upgrade to Argon2, as every new website user would immediately start using Argon2. As we have unit test coverage on the Rails port for the upgrade to Argon2, as well as unit tests on cgimap to use different hashes, this should be ok for now. |
It's been five years since we last updated our password hashing and things have moved on - the current OWASP recommendation is to use Argon2.
Argon2 takes care of recording the salt and hash parameters as part of the password so the separate salt is no longer needed except for legacy passwords.
We're using the default parameters (64Mb memory, 2 iterations, 1 degree of parallelism) which exceeds the OWASP recommended values and upgrading will be automatic as the defaults change over time.
There is also support for an optional "pepper" which means that a leak of hashed passwords would be useless without the pepper (a shared secret included in the hashes) which is not present in the database or on the database servers.