-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Add pepper to password hashing #907
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,10 +23,14 @@ class PasswordConfig(Config): | |
def read_config(self, config): | ||
password_config = config.get("password_config", {}) | ||
self.password_enabled = password_config.get("enabled", True) | ||
self.pepper = password_config.get("pepper", "") | ||
|
||
def default_config(self, config_dir_path, server_name, **kwargs): | ||
return """ | ||
# Enable password for login. | ||
password_config: | ||
enabled: true | ||
""" | ||
# Uncomment for extra security for your passwords. | ||
# DO NOT CHANGE THIS AFTER INITIAL SETUP! | ||
#pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Doesn't this need to be a secret to each instance? I'd prefer if we instead had it like: # Uncomment for extra security for your passwords.
# Change to a secret random string.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#pepper: "<SOME_SECRET_RANDOM_STRING>" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yeah it does indeed There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think it may do more harm than good to actually include an example string here that is not an obvious |
||
""" |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -750,7 +750,7 @@ def hash(self, password): | |
Returns: | ||
Hashed password (str). | ||
""" | ||
return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds)) | ||
return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds)) | ||
|
||
def validate_hash(self, password, stored_hash): | ||
"""Validates that self.hash(password) == stored_hash. | ||
|
@@ -763,6 +763,7 @@ def validate_hash(self, password, stored_hash): | |
Whether self.hash(password) == stored_hash (bool). | ||
""" | ||
if stored_hash: | ||
return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash | ||
return bcrypt.hashpw(password + self.hs.config.password_config.pepper, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Whoops…I wonder how this passed on my local machine. Perhaps I forgot to restart the server once I removed the hardcoded pepper I was testing with. |
||
stored_hash.encode('utf-8')) == stored_hash | ||
else: | ||
return False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we name this
password_pepper
or something?