Closed Bug 987611 Opened 11 years ago Closed 11 years ago

Change PASSWORD_DIGEST_ALGORITHM from SHA-256 to something better

Categories

(Bugzilla :: Bugzilla-General, defect)

4.5.1
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 672129

People

(Reporter: gerv, Unassigned)

Details

Currently, Bugzilla uses SHA-256 as its PASSWORD_DIGEST_ALGORITHM. Even with a salt, a leak of password hashes would result in many passwords being cracked very quickly: http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/ Best practice suggests we should switch to bcrypt, scrypt or similar. Wonderfully, work done in the past means we can just update the value and everything will still work, with passwords being updated on the fly as users log in. We use the Digest framework; there's definitely a Digest::Bcrypt. There is an Scrypt module: https://metacpan.org/pod/Crypt::Scrypt but it doesn't look like it's a Digest plugin. We could make one, though. Gerv
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.