Closed
Bug 987611
Opened 11 years ago
Closed 11 years ago
Change PASSWORD_DIGEST_ALGORITHM from SHA-256 to something better
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 672129
People
(Reporter: gerv, Unassigned)
Details
Currently, Bugzilla uses SHA-256 as its PASSWORD_DIGEST_ALGORITHM. Even with a salt, a leak of password hashes would result in many passwords being cracked very quickly:
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/
Best practice suggests we should switch to bcrypt, scrypt or similar. Wonderfully, work done in the past means we can just update the value and everything will still work, with passwords being updated on the fly as users log in. We use the Digest framework; there's definitely a Digest::Bcrypt. There is an Scrypt module: https://metacpan.org/pod/Crypt::Scrypt but it doesn't look like it's a Digest plugin. We could make one, though.
Gerv
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•