Page MenuHomePhabricator

Logout users with MD5 password hash
Closed, DeclinedPublic

Description

With PBKDF2 being deployed, if and only if it seems to be working OK for a short while, we should reset the user tokens of users with MD5 hashes, thus forcing them to re-login and update their hashes. (We can also do this in batches to avoid a massive number of simultaneous hashing being done.)


Version: wmf-deployment
Severity: minor

Details

Reference
bz70910

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:48 AM
bzimport set Reference to bz70910.
bzimport added a subscriber: Unknown Object (MLST).

It would be nice if we could wrap them in another hash instead of trying to force a login. I'd rather not have the hash in our DB at all.

From what I remember, there's a reason the script had issues doing that, but I don't remember why..

Is the wrapOldPasswords.php script useful for this purpose?

Users have been (until recently) logged out every 30 days anyway, so this would probably not make much difference. IMO decline in favor of T91917.

MarcoAurelio added a subscriber: MarcoAurelio.

Ping secteam here to know if this is resolved/still required.

We have logged out everyone a couple times since then due to security incidents, so I guess this is resolved?

In T72910#6441587, @Tgr wrote:

We have logged out everyone a couple times since then due to security incidents, so I guess this is resolved?

+1

Althogh I don't recall whether the recent logouts affected private wikis. Anyway, per T72910#2794416, I don't see much point - probably the only users with an MD5 hash still are long-inactive ones.

If the reason to log out users with md5 password hashes is to force them to login and update the hash to a more secure one, this request is flawed.

Inactive users with md5 password hashes won't come to login again in the foreseeable future. Those hashes will remain untouched.

I don't think there's a way to "secure" them, other than wipe them altogether and force them a password recovery by email, if they have one set.

sbassett added a subscriber: sbassett.
In T72910#2794416, @Tgr wrote:

Users have been (until recently) logged out every 30 days anyway, so this would probably not make much difference. IMO decline in favor of T91917.
...
We have logged out everyone a couple times since then due to security incidents, so I guess this is resolved?

I'm going to decline this since I'd agree that likely all users have been logged out due to various security incidents within the last 6 years. I also think it makes the most sense to continue working on this from the non-user side in either T91917 or T150647 and not have a bunch of quasi-related, open tasks lying around.