Add pepper to password hashing #907

KentShikama · Jul 4, 2016

Random pepper generated by

dd if=/dev/urandom bs=1k count=1 2>/dev/null | base64
HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN997kuy9kbN
bBCUiAWT/630Dd8qsBHu6+nZGnsQ4FH0Eo5Psh+NFoDUSIwYQRUWW+3jSSZMPYb7qvBl+ww3j9f+
5l+BlhhiV7QOUTJwCWTvp0G+Rb2C0SVATswaxNnf79bC9Dme8/CKhlfx0KVuYnEOhkOEEMn99xy3
/DxE3O6njWH1HkiE20iLUERPhtnBeQXm10ZzWenIUC4mEXXBXAffRgRgqiSm3e6sv4ngPBdrAekt

I took the first x characters so the line length was 89 to fit within the < 90 char limit.

matrixbot · Jul 4, 2016

Can one of the admins verify this patch?

matrixbot · Jul 4, 2016

Can one of the admins verify this patch?

matrixbot · Jul 4, 2016

Can one of the admins verify this patch?

matrixbot · Jul 4, 2016

Can one of the admins verify this patch?

matrixbot · Jul 4, 2016

Can one of the admins verify this patch?

Doesn't this need to be a secret to each instance? I'd prefer if we instead had it like:

# Uncomment for extra security for your passwords.
# Change to a secret random string.
# DO NOT CHANGE THIS AFTER INITIAL SETUP!
#pepper: "<SOME_SECRET_RANDOM_STRING>"

Yeah it does indeed

erikjohnston · Jul 5, 2016

@matrixbot ok to test

self.hs.config.password_config.pepper should be self.hs.config.pepper

Whoops…I wonder how this passed on my local machine. Perhaps I forgot to restart the server once I removed the hardcoded pepper I was testing with.

Can we name this password_pepper or something?

I think it may do more harm than good to actually include an example string here that is not an obvious CHANGE_ME placeholder, as I can see people simply uncommenting and forgetting to change.

erikjohnston · Jul 5, 2016

(I think the dendron test failure is nothing to do with this PR)

erikjohnston · Jul 5, 2016

Thanks for this! :)

erikjohnston self-assigned this Jul 5, 2016

KentShikama deleted the KentShikama:pepper branch Jul 5, 2016

          def default_config(self, config_dir_path, server_name, **kwargs):
              return """
              # Enable password for login.
              password_config:
                 enabled: true
-    -        """
+    +           # Uncomment for extra security for your passwords.
+    +           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
+    +           #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"

@@ -763,6 +764,7 @@ def validate_hash(self, password, stored_hash):
                  Whether self.hash(password) == stored_hash (bool).
              """
              if stored_hash:
-    -            return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash
+    +            return bcrypt.hashpw(password + self.hs.config.password_config.pepper,

@@ -23,10 +23,15 @@ class PasswordConfig(Config):
          def read_config(self, config):
              password_config = config.get("password_config", {})
              self.password_enabled = password_config.get("enabled", True)
+    +        self.pepper = password_config.get("pepper", "")

          def default_config(self, config_dir_path, server_name, **kwargs):
              return """
              # Enable password for login.
              password_config:
                 enabled: true
+    +           # Uncomment for extra security for your passwords.
+    +           # Change to a secret random string.
+    +           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
+    +           #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"

matrix-org/synapse

Add pepper to password hashing #907

KentShikama commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston self-assigned this Jul 5, 2016

erikjohnston commented Jul 5, 2016

KentShikama added some commits Jul 5, 2016

erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston commented on an outdated diff Jul 5, 2016

erikjohnston commented on an outdated diff Jul 5, 2016

KentShikama added some commits Jul 5, 2016

erikjohnston commented Jul 5, 2016

erikjohnston commented Jul 5, 2016

erikjohnston merged commit `e34cb5e` into matrix-org:develop Jul 5, 2016
4 of 5 checks passed

4 of 5 checks passed

KentShikama deleted the KentShikama:pepper branch Jul 5, 2016

matrix-org/synapse

Join GitHub today

Add pepper to password hashing #907

Conversation

KentShikama commented Jul 4, 2016

Some checks were not successful

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

matrixbot commented Jul 4, 2016

Show 2 comments Hide comments erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston Jul 5, 2016

KentShikama Jul 5, 2016

erikjohnston self-assigned this Jul 5, 2016

erikjohnston commented Jul 5, 2016

KentShikama added some commits Jul 5, 2016

Some checks were not successful

Some checks were not successful

Show 2 comments Hide comments erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston Jul 5, 2016

KentShikama Jul 5, 2016

Show 1 comment Hide comment erikjohnston commented on an outdated diff Jul 5, 2016

erikjohnston Jul 5, 2016

Show 1 comment Hide comment erikjohnston commented on an outdated diff Jul 5, 2016

erikjohnston Jul 5, 2016

KentShikama added some commits Jul 5, 2016

Some checks were not successful

erikjohnston commented Jul 5, 2016

erikjohnston commented Jul 5, 2016

Hide details View details erikjohnston merged commit e34cb5e into matrix-org:develop Jul 5, 2016 4 of 5 checks passed

4 of 5 checks passed

KentShikama deleted the KentShikama:pepper branch Jul 5, 2016

erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston and 1 other commented on an outdated diff Jul 5, 2016

erikjohnston commented on an outdated diff Jul 5, 2016

erikjohnston commented on an outdated diff Jul 5, 2016

erikjohnston merged commit `e34cb5e` into matrix-org:develop Jul 5, 2016
4 of 5 checks passed