Page MenuHomePhabricator

Increase pbkdf2 parameter strengths (2019)
Open, LowPublic

Description

Clone of T116030, 3.5 years later we're probably due another round of these updates. Especially after new hardware, switching to PHP 7+ etc...

Event Timeline

Reedy created this task.Oct 8 2019, 6:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 8 2019, 6:40 PM

I filed this as a security bug. I honestly don't know if it needs to be. As it's basically ongoing hardening

Needs doing probably to MW core, changing the defaults, but also to wmf-config

Need to decide to what values

MW core is at

	'pbkdf2' => [
		'class' => Pbkdf2Password::class,
		'algo' => 'sha512',
		'cost' => '30000',
		'length' => '64',
	],

WMF sites are on

> var_dump( $wgPasswordConfig['pbkdf2'] );
array(4) {
  ["class"]=>
  string(14) "Pbkdf2Password"
  ["algo"]=>
  string(6) "sha512"
  ["cost"]=>
  string(6) "128000"
  ["length"]=>
  string(2) "64"
}

I filed this as a security bug. I honestly don't know if it needs to be. As it's basically ongoing hardening

It's all in CommonSettings.php, right? I'd guess this can probably be public.

Reedy added a comment.Oct 11 2019, 1:27 PM

I filed this as a security bug. I honestly don't know if it needs to be. As it's basically ongoing hardening

It's all in CommonSettings.php, right? I'd guess this can probably be public.

Yup, I'll do that now then

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 11 2019, 1:27 PM
Jcross triaged this task as Low priority.Oct 15 2019, 5:04 PM
chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 2 2019, 8:52 PM