Page MenuHomePhabricator

Increase pbkdf2 parameter strengths (2015/2016)
Closed, ResolvedPublic




'algo' => 'sha512',
'cost' => '128000',
'length' => '64',

For the pbkdf2 parameters at the WMF. This will reduce the amount of work mediawiki does for password hashing by 40%, while increasing the amount of work an attacker has to do by 2.5x.

For our tarball, we should probably adjust the default params to,

'algo' => 'sha512',
'cost' => '40000',
'length' => '64',


Related Gerrit Patches:
operations/mediawiki-config : masterUpdate pbkdf2 hash parameters
operations/mediawiki-config : masterUpdate hash parameters in Beta

Event Timeline

csteipp created this task.Oct 20 2015, 4:10 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Security-Team.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 20 2015, 4:10 PM
csteipp triaged this task as Low priority.Oct 20 2015, 9:40 PM
Luke081515 added a subscriber: Luke081515.

Don't add Security-Team here, otherwise all member of a public joinable project can see this task! This is not willed, I guess.

@Luke081515: Nope that's not how the access permissions in Phabricator are implemented. :) Readded.

@Aklapper: Normaly, but this projects was not added as project:

Luke081515 removed a subscriber: Security-Team.

This projects was added as CC, and this was why I can see the task before: Normaly I'm not a member in Security, and should only see the security bugs I created, but I added me as a member of Security-Team, and so I could see the task.

Krenair added a subscriber: Krenair.EditedDec 26 2015, 1:52 AM

Interesting. I wrote and am running a script to track down other instances of that across tickets marked security, and have fixed T101341 and T115333 so far.

Also T100803 in WMF-NDA. Going to remove the project restriction soon and let it check everything I can see in Phab.

Edit: After it gets to something like offset 42k, my script starts getting "Maximum execution time of 10 seconds exceeded" HTTP 500s unfortunately. Still:

1# By Alex Monk. As of writing, dies around offset 42k due to a server-side timeout.
2import json, subprocess
4def getAll(arcArgs, params = {}, limit = 1000, offset = 0):
5 print("Offset " + str(offset))
6 proc = subprocess.Popen(arcArgs, stdin = subprocess.PIPE, stdout = subprocess.PIPE)
7 resultOut, resultErr = proc.communicate(input = json.dumps(dict(params, limit = limit, offset = offset)))
8 dataOut = json.loads(resultOut.strip())['response']
9 if 'data' in dataOut:
10 items = dataOut['data'].values()
11 elif isinstance(dataOut, dict):
12 items = dataOut.values()
13 elif isinstance(dataOut, list):
14 items = dataOut
15 for item in items:
16 yield item
17 if len(items) == limit:
18 for item in getAll(arcArgs, params = params, limit = limit, offset = offset + limit):
19 yield item
21arcCommand = ['arc', 'call-conduit', '--conduit-uri', '']
23# Security: PHID-PROJ-koo4qqdng27q7r65x3cw
24# WMF-NDA: PHID-PROJ-ibxm3v6ithf3jpqpqhl7
25# {'projectPHIDs': ['PHID-PROJ-somethingsomethingsomething']}
26for task in getAll(arcCommand + ['maniphest.query'], {}, limit = 1000):
27 for ccPHID in task['ccPHIDs']:
28 if 'PROJ' in ccPHID:
29 print('' + task['id'] + ' - ' + ccPHID + ' - ' + task['title'])
30 break

Not pasting the output here due to the obvious issues involving what my account can access.

@Aklapper: Normaly, but this projects was not added as project:
This projects was added as CC

Oh....! Thanks a lot, @Luke081515! I missed that. :(

csteipp moved this task from Backlog to Ready on the Security-Team board.Jan 5 2016, 3:44 PM

csteipp moved this task from Ready to In Progress on the Security-Team board.Jan 6 2016, 12:14 AM

Since this is really a hardening issue (someone would have to get our password hashes to crack them), and since the original 64k strength still holds (the WMF is just doing 4x that when checking passwords), I'm going to push this as a public patch to be swatted tomorrow (28 Jan).

csteipp claimed this task.Feb 26 2016, 8:17 PM
csteipp added a parent task: Restricted Task.Mar 1 2016, 6:02 PM
Luke081515 updated the task description. (Show Details)Mar 1 2016, 6:07 PM

This was deployed with

This has been live on all wikis for about 2 hours, and 4k hashes have been converted so far. Authentications ( seem to be progressing at the normal pace.

Stats from CountPasswordTypes2.php
pbkdf2 (256):9552526
pbkdf2 (512):4485

csteipp closed this task as Resolved.Mar 8 2016, 6:08 PM

Public patch for DefaultSettings.php is (since T127445 was opened publicly).

I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

demon added a subscriber: demon.May 10 2016, 10:17 PM

Public patch for DefaultSettings.php is (since T127445 was opened publicly).
I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

They'll need manual porting anyway because of the array() syntax change.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM
sbassett moved this task from In Progress to Done on the Security-Team board.Jun 11 2019, 6:05 PM
Reedy renamed this task from Increase pbkdf2 parameter strengths to Increase pbkdf2 parameter strengths (2015/2016).Oct 8 2019, 6:39 PM