Page MenuHomePhabricator
Create Task
Maniphest T116030

Increase pbkdf2 parameter strengths (2015/2016)
Closed, ResolvedPublic
Actions

Description

From https://lists.wikimedia.org/mailman/private/mediawiki-security/2015-October/000035.html

Set,

'algo' => 'sha512',
'cost' => '128000',
'length' => '64',

For the pbkdf2 parameters at the WMF. This will reduce the amount of work mediawiki does for password hashing by 40%, while increasing the amount of work an attacker has to do by 2.5x.

For our tarball, we should probably adjust the default params to,

'algo' => 'sha512',
'cost' => '40000',
'length' => '64',

Details

SubjectRepoBranchLines +/-
Update pbkdf2 hash parametersoperations/mediawiki-configmaster+6 -8
Update hash parameters in Betaoperations/mediawiki-configmaster+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

csteipp created this task.Oct 20 2015, 4:10 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Security-Team.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 20 2015, 4:10 PM
csteipp triaged this task as Low priority.Oct 20 2015, 9:40 PM
csteipp added a parent task: T122248: Password/login related security issues (Tracking).Dec 22 2015, 10:06 PM
Luke081515 removed a subscriber: Security-Team.Dec 25 2015, 10:33 PM
Luke081515 subscribed.

Don't add Security-Team here, otherwise all member of a public joinable project can see this task! This is not willed, I guess.

Aklapper added a project: Security-Team.Dec 25 2015, 11:43 PM

@Luke081515: Nope that's not how the access permissions in Phabricator are implemented. :) Readded.

Luke081515 added a comment.Dec 25 2015, 11:52 PM

@Aklapper: Normaly, but this projects was not added as project:

Luke081515 removed a subscriber: Security-Team.

This projects was added as CC, and this was why I can see the task before: Normaly I'm not a member in Security, and should only see the security bugs I created, but I added me as a member of Security-Team, and so I could see the task.

Krenair subscribed.EditedDec 26 2015, 1:52 AM

Interesting. I wrote and am running a script to track down other instances of that across tickets marked security, and have fixed T101341 and T115333 so far.

Also T100803 in WMF-NDA. Going to remove the project restriction soon and let it check everything I can see in Phab.

Edit: After it gets to something like offset 42k, my script starts getting "Maximum execution time of 10 seconds exceeded" HTTP 500s unfortunately. Still:

P2454 Find Phab tasks with projects CC'd
1# By Alex Monk. As of writing, dies around offset 42k due to a server-side timeout.
2import json, subprocess
3
4def getAll(arcArgs, params = {}, limit = 1000, offset = 0):
5 print("Offset " + str(offset))
6 proc = subprocess.Popen(arcArgs, stdin = subprocess.PIPE, stdout = subprocess.PIPE)
7 resultOut, resultErr = proc.communicate(input = json.dumps(dict(params, limit = limit, offset = offset)))
8 dataOut = json.loads(resultOut.strip())['response']
9 if 'data' in dataOut:
10 items = dataOut['data'].values()
11 elif isinstance(dataOut, dict):
12 items = dataOut.values()
13 elif isinstance(dataOut, list):
14 items = dataOut
15 for item in items:
16 yield item
17 if len(items) == limit:
18 for item in getAll(arcArgs, params = params, limit = limit, offset = offset + limit):
19 yield item
20
21arcCommand = ['arc', 'call-conduit', '--conduit-uri', 'https://phabricator.wikimedia.org/']
22
23# Security: PHID-PROJ-koo4qqdng27q7r65x3cw
24# WMF-NDA: PHID-PROJ-ibxm3v6ithf3jpqpqhl7
25# {'projectPHIDs': ['PHID-PROJ-somethingsomethingsomething']}
26for task in getAll(arcCommand + ['maniphest.query'], {}, limit = 1000):
27 for ccPHID in task['ccPHIDs']:
28 if 'PROJ' in ccPHID:
29 print('https://phabricator.wikimedia.org/T' + task['id'] + ' - ' + ccPHID + ' - ' + task['title'])
30 break

Not pasting the output here due to the obvious issues involving what my account can access.

Aklapper added a comment.Dec 26 2015, 12:04 PM
In T116030#1904292, @Luke081515 wrote:

@Aklapper: Normaly, but this projects was not added as project:
This projects was added as CC

Oh....! Thanks a lot, @Luke081515! I missed that. :(

csteipp moved this task from Incoming to Ready on the Security-Team board.Jan 5 2016, 3:44 PM
csteipp added a comment.Jan 6 2016, 12:13 AM

T116030.patch1 KBDownload

csteipp moved this task from Ready to In Progress on the Security-Team board.Jan 6 2016, 12:14 AM
csteipp added a comment.Jan 27 2016, 7:05 PM

Since this is really a hardening issue (someone would have to get our password hashes to crack them), and since the original 64k strength still holds (the WMF is just doing 4x that when checking passwords), I'm going to push this as a public patch to be swatted tomorrow (28 Jan).

csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.Jan 28 2016, 1:36 AM
csteipp added a subtask: T127396: Logins with CentralAuth fail when password re-hashed.Feb 18 2016, 11:35 PM
csteipp added a subscriber: PleaseStand.Feb 19 2016, 3:15 PM
Anomie closed subtask T127396: Logins with CentralAuth fail when password re-hashed as Resolved.Feb 24 2016, 12:56 AM
csteipp claimed this task.Feb 26 2016, 8:17 PM
csteipp added a parent task: Restricted Task.Mar 1 2016, 6:02 PM
Luke081515 updated the task description. (Show Details)Mar 1 2016, 6:07 PM
csteipp added a comment.Mar 8 2016, 6:08 PM

This was deployed with https://gerrit.wikimedia.org/r/#/c/274795/.

This has been live on all wikis for about 2 hours, and 4k hashes have been converted so far. Authentications (https://grafana.wikimedia.org/dashboard/db/authentications) seem to be progressing at the normal pace.

Stats from CountPasswordTypes2.php
md5:12034721
type-a:84656
type-b:24063500
pbkdf2 (256):9552526
pbkdf2 (512):4485
zero-length:103908
'nologin':257

csteipp closed this task as Resolved.Mar 8 2016, 6:08 PM
demon mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 20 2016, 3:09 PM
csteipp added a comment.Apr 25 2016, 11:23 PM

Public patch for DefaultSettings.php is https://gerrit.wikimedia.org/r/275868 (since T127445 was opened publicly).

I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

demon subscribed.May 10 2016, 10:17 PM
In T116030#2237369, @csteipp wrote:

Public patch for DefaultSettings.php is https://gerrit.wikimedia.org/r/275868 (since T127445 was opened publicly).

I think we can just cherry pick that back to all the release branches, unless that throws off creating the security patch?

They'll need manual porting anyway because of the array() syntax change.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:26 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:26 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:05 PM
Reedy renamed this task from Increase pbkdf2 parameter strengths to Increase pbkdf2 parameter strengths (2015/2016).Oct 8 2019, 6:39 PM
Reedy mentioned this in T234987: Increase pbkdf2 parameter strengths (2019).
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL