-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potentially conflicting information in Password Storage: Pre-Hashing Passwords with bcrypt #1532
Comments
I really think "just dont use bcrypt" since pre-hashing can cause problems and NOT pre-hashing can cause problems. We are at an era where Argon2id is the right call and bcrypt is not. I want developers to just use the right algorithm and using bcrypt "right" is to challenging IMO. I see the Okta situation as bcrypt's end. Finally. |
Thanks for your answer! Maybe add something like this at the end of the paragraph?
|
@jmanico I agree that people should switch to more modern algorithms like Argon2 whenever possible. I still wonder why the article recommends against SHA-256 hashing (which is indeed vulnerable to password shucking) but then shows Base64-encoded HMAC in the code (which should neither suffer from password shucking nor the null-byte problem). Originally, the code fragment contained a SHA-384 example, but you changed this to HMAC in commit 658ba04, pointing to “advice from twitter.com/AaronToponce”. Do you happen to remember why you thought HMAC was problematic as well? Because if it isn't, this might be an acceptable solution for legacy applications which cannot switch to Argon2 (for whatever reason). |
The comments from the last two posters only leads me to wanting to drop bcrypt from the cheatsheet and only focus on Argon2id and PBKDF2 only. I am eager to get PR's to fix bcrypt, go for it, but the days of this cheatsheet supporting bcrypt are coming to an end. |
@jmanico: PBKDF2 also suffers from password shucking (if the typical construction with HMAC as the PRF is used). When the password exceeds the block size of the underlying hash function (e.g., 64 bytes in the case of SHA-256), then it's pre-hashed and only used in this pre-hashed form, allowing an attacker to reuse leaked hashes. So this isn't a bcrypt-specific problem. Recommending against all algorithms except Argon2 might be an option, but this would leave developers working on legacy systems with essentially nothing. How about the following three options:?
If you believe this is going in the right direction, then I'll happily open a PR. |
Go for it. I think this is a fair direction even though I cant wait for bcrypt to die in a fire. |
Was there ever a PR for this? I'm asking because in WordPress/wordpress-develop#7333 |
In OWASP#1532 there was a side discussion by @ja2048 and @jmanico on why HMAC would prevent against password chucking, but the linked talk mentioned that even a hash with a pepper would prevent this. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in OWASP#1532
In OWASP#1532 there was a side discussion by @ja2048 and @jmanico on why the CS mentioned that HMAC would be vulnerable to password shucking, but the linked talk mentioned that even a hash with a pepper would prevent it. So I correcteed the guidance. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in OWASP#1532
In OWASP#1532 there was a side discussion by @ja2048 and @jmanico on why the CS mentioned that HMAC would be vulnerable to password shucking, but the linked talk mentioned that even a hash with a pepper would prevent it. So I correcteed the guidance. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in OWASP#1532
In OWASP#1532 there was a side discussion by @ja2048 and @jmanico on why the CS mentioned that HMAC would be vulnerable to password shucking, but the linked talk mentioned that even a hash with a pepper would prevent it. So I correcteed the guidance. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in OWASP#1532
In OWASP#1532 there was a side discussion by @ja2048 and @jmanico on why the CS mentioned that HMAC would be vulnerable to password shucking, but the linked talk mentioned that even a hash with a pepper would prevent it. So I correcteed the guidance. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in OWASP#1532
In #1532 there was a side discussion by @ja2048 and @jmanico on why the CS mentioned that HMAC would be vulnerable to password shucking, but the linked talk mentioned that even a hash with a pepper would prevent it. So I correcteed the guidance. I further removed the mentioning of PBKDF2, since this suggests that bcrypt + PBKDF2 would give FIPS-140 compliance. I also added that bcrypt should only be used for legacy system which don't have agron2 or scrypt, as discussed in #1532
So the recent Okta username-longer-than-52 security advisory got me interested in best practice for handling longer-than-72 password length with bcrypt.
Someone in X/Twitter suggests we can SHA256 hash the password before applying bcrypt. The OWASP cheatsheet explicitly discourage this:
This blog post cited in the above excerpt explained that null bytes might show up after hashing if we don't encode the raw output with base64 or hex.
Quoting the blog post:
However, the OWASP excerpt above uses
bcrypt(base64(hmac-sha256(data:$password, key:$pepper)), $salt, $cost)
as an example of unsafe prehashing practice (this is how I interpret it anyway). To me, they feel like conflicting information.Could someone clarify this?
Note: I created a relevant question on the security stack exchange.
The text was updated successfully, but these errors were encountered: