*** This bug is a security vulnerability *** Public security bug reported:
Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. ** Affects: keystone Importance: Critical Assignee: Morgan Fainberg (mdrnstm) Status: Triaged ** Affects: ossa Importance: Undecided Status: Incomplete ** Tags: security ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Incomplete -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1668503 Title: sha512_crypt is insufficient, use pdkfd_sha512 for password hashing Status in OpenStack Identity (keystone): Triaged Status in OpenStack Security Advisory: Incomplete Bug description: Keystone uses sha512_crypt for password hashing. This is completely insufficient and provides limited protection (even with 10,000 rounds) against brute-forcing of the password hashes (especially with FPGAs and/or GPU processing). The correct mechanism is to use bcrypt, scrypt, or pdkfd_sha512 instead of sha512_crypt. This bug is marked as public security as bug #1543048 has already highlighted this issue. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1668503/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp