Opened 5 years ago
Last modified 5 years ago
#30561 closed New feature
Time for peppering user passwords in Django? — at Version 1
Reported by: | linluc | Owned by: | nobody |
---|---|---|---|
Component: | Uncategorized | Version: | 2.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Peppering passwords has been a controversial topic widely discussed in many stack overflow questions. Having ran my 20+ personal email addresses through HIBP page the findings are clear: all emails/passwords of mine that had been leaked fall in the following categories: SQL injections, mis-configured databases, exposed database admin panels or strayed database backup files.
And that’s exactly what a pepper value in the hashing process is protecting from. Breaching the whole server with physical access to the file system is rather rare nowadays.
According to this NIST document [ Digital Identity Guidelines Authentication and Lifecycle Management]
https://pages.nist.gov/800-63-3/sp800-63b.html :
“In addition, verifiers SHOULD perform an additional iteration of a key derivation function using a salt value that is secret and known only to the verifier.”
So, why not in Django?