Page MenuHomePhabricator
Create Task
Maniphest T127445

Improve default choice of PBKDF2 parameters
Closed, ResolvedPublic
Actions

Description

The current default set of parameters (in $wgPasswordConfig) used when hashing a new password using PBKDF2 is:

'pbkdf2' => [
	'class' => 'Pbkdf2Password',
	'algo' => 'sha256',
	'cost' => '10000',
	'length' => '128',
],

The output length ("length") is 128 bytes * 8 bits/byte = 1024 bits, which is 4 times the output length of SHA-256. This means 4 PBKDF2 output blocks are used.

Because we are not trying to generate a 1024-bit encryption key, the time spent generating three additional output blocks perhaps could be better spent in additional iterations ("cost"). In PBKDF2, the output blocks are generated independently, so the function is trivially parallelizable for multiple blocks. And for password cracking, it is only necessary to compute and check the first block for each guess.

So we should seriously consider using the output length of the hash function (32 bytes) and possibly increasing "cost" to a higher number like 10000 * 4 = 40000 by default, and 64000 * 4 = 256000 for Wikimedia.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Update default hash storage settingsmediawiki/coremaster+3 -3
Update pbkdf2 hash parametersoperations/mediawiki-configmaster+6 -8
Update hash parameters in Betaoperations/mediawiki-configmaster+7 -0
Customize query in gerrit

Related Objects

Event Timeline

PleaseStand created this task.Feb 19 2016, 2:28 PM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 19 2016, 2:28 PM
gerritbot subscribed.Mar 3 2016, 7:01 PM

Change 274772 merged by jenkins-bot:
Update hash parameters in Beta

https://gerrit.wikimedia.org/r/274772

gerritbot added a comment.Mar 3 2016, 8:10 PM

Change 274795 had a related patch set uploaded (by CSteipp):
Update pbkdf2 hash parameters

https://gerrit.wikimedia.org/r/274795

gerritbot added a project: Patch-For-Review.Mar 3 2016, 8:10 PM
gerritbot added a comment.Mar 8 2016, 4:14 PM

Change 274795 merged by jenkins-bot:
Update pbkdf2 hash parameters

https://gerrit.wikimedia.org/r/274795

gerritbot added a comment.Mar 8 2016, 6:35 PM

Change 275868 had a related patch set uploaded (by CSteipp):
Update default hash storage settings

https://gerrit.wikimedia.org/r/275868

csteipp added a comment.Mar 8 2016, 6:43 PM

https://gerrit.wikimedia.org/r/275868

Updated DefaultSettings.php to use 30,000 rounds of sha512 with an output length of 64 bytes (1 block). In my testing, this gave approximately the same work amount of work as calculating the previous settings (10k rounds, 128 bytes of output => 4 blocks) for both the php5.5 hash_pbkdf2 and the implementation we ship with MediaWiki.

Keeping the timing the same ensures the timing of the password comparison doesn't leak information about which format a particular user has.

csteipp mentioned this in T116030: Increase pbkdf2 parameter strengths (2015/2016).Apr 25 2016, 11:23 PM
gerritbot added a comment.May 10 2016, 10:29 PM

Change 275868 merged by jenkins-bot:
Update default hash storage settings

https://gerrit.wikimedia.org/r/275868

ReleaseTaggerBot added projects: MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), MW-1.28-release-notes.May 10 2016, 11:00 PM
Krinkle closed this task as Resolved.May 12 2016, 10:32 PM
Krinkle claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits