Page MenuHomePhabricator

Improve default choice of PBKDF2 parameters
Closed, ResolvedPublic

Description

The current default set of parameters (in $wgPasswordConfig) used when hashing a new password using PBKDF2 is:

'pbkdf2' => [
	'class' => 'Pbkdf2Password',
	'algo' => 'sha256',
	'cost' => '10000',
	'length' => '128',
],

The output length ("length") is 128 bytes * 8 bits/byte = 1024 bits, which is 4 times the output length of SHA-256. This means 4 PBKDF2 output blocks are used.

Because we are not trying to generate a 1024-bit encryption key, the time spent generating three additional output blocks perhaps could be better spent in additional iterations ("cost"). In PBKDF2, the output blocks are generated independently, so the function is trivially parallelizable for multiple blocks. And for password cracking, it is only necessary to compute and check the first block for each guess.

So we should seriously consider using the output length of the hash function (32 bytes) and possibly increasing "cost" to a higher number like 10000 * 4 = 40000 by default, and 64000 * 4 = 256000 for Wikimedia.

Event Timeline

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 19 2016, 2:28 PM

Change 274772 merged by jenkins-bot:
Update hash parameters in Beta

https://gerrit.wikimedia.org/r/274772

Change 274795 had a related patch set uploaded (by CSteipp):
Update pbkdf2 hash parameters

https://gerrit.wikimedia.org/r/274795

Change 274795 merged by jenkins-bot:
Update pbkdf2 hash parameters

https://gerrit.wikimedia.org/r/274795

Change 275868 had a related patch set uploaded (by CSteipp):
Update default hash storage settings

https://gerrit.wikimedia.org/r/275868

https://gerrit.wikimedia.org/r/275868

Updated DefaultSettings.php to use 30,000 rounds of sha512 with an output length of 64 bytes (1 block). In my testing, this gave approximately the same work amount of work as calculating the previous settings (10k rounds, 128 bytes of output => 4 blocks) for both the php5.5 hash_pbkdf2 and the implementation we ship with MediaWiki.

Keeping the timing the same ensures the timing of the password comparison doesn't leak information about which format a particular user has.

Change 275868 merged by jenkins-bot:
Update default hash storage settings

https://gerrit.wikimedia.org/r/275868

Krinkle closed this task as Resolved.May 12 2016, 10:32 PM
Krinkle claimed this task.