Add pepper to password hashing #907
Conversation
Signed-off-by: Kent Shikama <[email protected]>
|
Can one of the admins verify this patch? |
4 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
| """ | ||
| # Uncomment for extra security for your passwords. | ||
| # DO NOT CHANGE THIS AFTER INITIAL SETUP! | ||
| #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9" |
There was a problem hiding this comment.
Doesn't this need to be a secret to each instance? I'd prefer if we instead had it like:
# Uncomment for extra security for your passwords.
# Change to a secret random string.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#pepper: "<SOME_SECRET_RANDOM_STRING>"There was a problem hiding this comment.
Yeah it does indeed
|
@matrixbot ok to test |
| @@ -763,6 +764,7 @@ def validate_hash(self, password, stored_hash): | |||
| Whether self.hash(password) == stored_hash (bool). | |||
| """ | |||
| if stored_hash: | |||
| return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash | |||
| return bcrypt.hashpw(password + self.hs.config.password_config.pepper, | |||
There was a problem hiding this comment.
self.hs.config.password_config.pepper should be self.hs.config.pepper
There was a problem hiding this comment.
Whoops…I wonder how this passed on my local machine. Perhaps I forgot to restart the server once I removed the hardcoded pepper I was testing with.
|
(I think the dendron test failure is nothing to do with this PR) |
|
Thanks for this! :) |
Random pepper generated by
I took the first x characters so the line length was 89 to fit within the < 90 char limit.