-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password hash funciton #13
Comments
Sorry of the late response. Your absolutely right; EngineAuth should be using a more secure strategy. It's been some time since I've look into it but at the time bcrypt, scrypt were not included in the python app engine environment and a pure python implementation woud be to processor-intensive to be useful. According the this answer PBKDF2 or SHA-512-Crypt might be a viable solution. Would you be interested in working on this? |
Conceptually this is a pretty easy fix. It is just a drop in replacement of a function call. However it should be noted that this version is not backwards compatible with previous versions. Also use bcrypt, I think that’s the best of the three. From: Kyle Finley [mailto:[email protected]] @mbrooks-stachliuhttps://github.com/mbrooks-stachliu, Sorry of the late response. Your absolutely right; EngineAuth should be using a more secure strategy. It's been some time since I've look into it but at the time bcrypt, scrypt were not included in the python app engine environment and a pure python implementation woud be to processor-intensive to be useful. According the this answerhttp://stackoverflow.com/a/7029369/236564 PBKDF2 or SHA-512-Crypt might be a viable solution. Would you be interested in working on this? — |
There is a vulnerability related to how passwords are stored. It is referred to as CWE-916: Use of Password Hash With Insufficient Computational Effort:
http://cwe.mitre.org/data/definitions/916.html
On line 59 the generate_password_hash() method is used without specifying a password hash function:
https://github.com/scotch/engineauth/blob/master/engineauth/strategies/password.py
This will default to sha1:
http://webapp-improved.appspot.com/_modules/webapp2_extras/security.html#generate_password_hash
hashlib supports sha256, which is better than sha1 for passwords, however still not suitable. Ideally you want to a heavy KDF funciton such as bcrypt or scrypt.
This is a good read on bcrypt for passwords:
http://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage/6415
I will also file bug with webapp2.
The text was updated successfully, but these errors were encountered: