Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase Salt randomness #18179

Merged
merged 8 commits into from
Jan 4, 2022
Merged

Increase Salt randomness #18179

merged 8 commits into from
Jan 4, 2022

Commits on Jan 4, 2022

  1. Use actually good salt 

    - The current implementation of `RandomString` doesn't give you a
most-possible unique randomness. It gives you 6*`length` instead of the
possible 8*`length` bits(or as `length`x bytes) randomness. This is
because `RandomString` is being limited to a max value of 63, this in
order to represent the random byte as a letter/digit.
- The recommendation of pbkdf2 is to use 64+ bit salt, which the
`RandomString` doesn't give with a length of 10, instead of increasing
10 to a higher number, this patch adds a new function called
`RandomBytes` which does give you the guarentee of 8*`length` randomness
and thus corresponding of `length`x bytes randomness.
- Use hexadecimal to store the bytes value in the database, as
mentioned, it doesn't play nice in order to convert it to a string. This
will always be a length of 32(with `length` being 16).
    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    6f1bb3e View commit details
    Browse the repository at this point in the history

  2. Add migration

    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    b00a4ba View commit details
    Browse the repository at this point in the history

  3. Migrate passwords on-demand 

    - When we detect on `Authenticate`(source: db) that a user has the old
format of salt, re-hash the password such that the user will have it's
password hashed with increased salt.
    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    4ac0c4b View commit details
    Browse the repository at this point in the history

  4. Reword comment in hashPassword

    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    8076dba View commit details
    Browse the repository at this point in the history

  5. Refactor comments

    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    0fd2657 View commit details
    Browse the repository at this point in the history

  6. Simplify RandomBytes function

    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    359ac9e View commit details
    Browse the repository at this point in the history

  7. Make MySQL happy

    Gusted committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    491309d View commit details
    Browse the repository at this point in the history

  8. Future-proof 

    Co-authored-by: lafriks <lauris@nix.lv>
    @lafriks
    Gusted and lafriks committed Jan 4, 2022
    Configuration menu
    Copy the full SHA
    dcdc72d View commit details
    Browse the repository at this point in the history