Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

13.0.0 Release Notes #3040

Closed
hueniverse opened this issue Feb 1, 2016 · 2 comments
Closed

13.0.0 Release Notes #3040

hueniverse opened this issue Feb 1, 2016 · 2 comments

Comments

@hueniverse
Copy link
Contributor

@hueniverse hueniverse commented Feb 1, 2016

Summary

hapi v13.0.0 is a tiny release with a single change to ensure passwords passed internally to the iron module are sufficiently long (a new minimum length of 32 characters). This release will simply assert if short passwords are passed. This is a critical verification as short password are easy to exploit with a brute force.

  • Upgrade time: low - no time to a couple of hours for most users
  • Complexity: low - potentially requires increasing password string length
  • Risk: low - low risk of side effects and no changes to keep track of overall
  • Dependencies: low- applies to a single API call

Thanks to @tomsteele for his help with this release.

Sponsor


The v13.0.0 major release is sponsored by Sideway.

Breaking Changes

  • Requires passwords used to encrypt or sign cookies to be at least 32 character long.

New Features

None.

Bug fixes

None.

Updated dependencies

  • iron from v3.0.1 to v4.0.0
  • statehood from v3.1.0 to v4.0.0

Migration Checklist

Password length

The new requirement will cause invalid configurations to fail with an error that the password string is too short. This is a good thing - you want it to fail because if your password is indeed too short, you are at real risk of being exploited. Because the internal encryption mechanism uses the pbkdf2 algorithm with a single iteration to generate the keys, it is a pretty quick operation. Because the method is called on every incoming request, increasing the iteration count would have a linear negative impact on performance. To avoid that, a long password creates far too many possible password combination for an attacker to try in a timely manner.

Checklist:

  • Check your code for calls to server.state() or connection state configuration for password or sign.password and if present ensure you are passing a string that is at least 32 characters long.
@rluba
Copy link
Contributor

@rluba rluba commented Feb 1, 2016

The corresponding tag is not yet pushed. Might also be the reason for #3041?

@hueniverse
Copy link
Contributor Author

@hueniverse hueniverse commented Feb 1, 2016

My vm died while I was away so it probably failed at the end of the publish script. Fixed now. thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants