Passwords are hashed using SHA256 #258
Comments
|
Redis internally stores passwords hashed with SHA256. |
|
We chose to use plain SHA-256 hashes to ensure compatibility with Redis’s ACL rules. However, we are actively exploring improvements, such as introducing an optional syntax for salted hashes and potentially transitioning to a more compute-intensive KDF. While addressing this isn’t our top priority at the moment, we are aware of this issue and will address it in the future. |
|
Makes sense. I also see you're adding in AAD support as well, which is probably the better long-term approach anyway. If and when you get to improving the hashing feel free to reach out to me internally (stsyfuhs@ms) if you're inclined. My team owns Windows auth so we have an abundance of lessons learned around protocol auth. |
Is this a function of the Redis protocol or is this an internal implementation detail?
garnet/libs/server/ACL/ACLPassword.cs
Lines 35 to 39 in 5675a98
If this is an implementation detail then this needs to be converted into something more time consuming using a KDF plus salt.
The text was updated successfully, but these errors were encountered: