Use more secure hashes for passwords

[flaix]

Gitblit currently uses outdated hash functions for passwords stored in the user file. It should be updated to use modern hashes considered secure.

[jblaufuss]

Yes! I just came here to report this same issue. Looking at users.conf, passwords are hashed using MD5, which is easily cracked. A modern system should use something like scrypt, which is specifically designed for hashing passwords and making dictionary-based cracking difficult.

[martinspielmann]

I opened a pull request to address this issue. It's adding PBKDF2WithHmacSHA256 hash algorithm while being fully backward compatible.

A general topic which should be discussed in my opinion is the following:
When the realm.passwordStorage property is updated, the stored password hashes will only be updated if the user changes his password which might take a very long time.
Would it be better to check if the property was changed on every login?

Best regards,
Martin

[jblaufuss]

I have never actually built and authentication system like this myself, but have have heard it discussed. IIRC, the "right way" to do a hash algorithm migration is this:

• The password validation function has two cases:

1. Hash the password with the new algorithm and verify the output against the stored hash.

2. If the above fails, then hash the password with the old algorithm, then hash the output with the new algorithm, then verify the chained output against the stored hash.

• On upgrade, automatically hash all the hashes in users.conf with the new algorithm. They'll be able to be verified by case 2.

• If a user changes his password, it's only hashed with the new algo, and is verified by case 1.

The benefit of this is that you don't have hashes created with a weak algorithm hanging around (potentially indefinitely) on your system, waiting to be cracked.

I suppose it could be simpler to only have the case 2 code, because it would provide the extra security and no one can make any guarantees that everyone will eventually update their passwords so it can eventually be eliminated.

Also, IIRC, simple MD5 hashes can be cracked so effectively at this point that they're really just good for obfuscation, not security. I don't think it even makes sense to provide the option to use simple MD5 hashes at all.

[martinspielmann]

Ah, I wasn't aware of this migration process, but it sounds reasonable 👍. I'll update the PR asap.
I share the opinion that MD5 for password hashing. I'm a little afraid of dropping support for MD5 though. Who knows if someone used it for some integration or something... and there's also the option to use plaintext... don't know what's a good solution here :/

[flaix]

The password hash to be used is configurable. That means that it could have changed over time and that multiple different schemes are in use in the users.conf file. There is no way to know what the "old" algorithm was, I think. I believe the suggested process works for applications with a fixed hashing algorithm that was changed, but not in this case.

[martinspielmann]

@fzs you are right. I tried to implement the above suggested migration process and kept the information about previous algorithms in an additional prefix. But it turned out to get really complex and not very maintainable :/

[flaix]

I don't think it is much of a problem and needs to be solved automatically. A Gitblit administrator can decide if he is fine with leaving old hashed values as they are or to what degree she wants to bug her users to update their passwords so that they are hashed with a new algorithm.
Another possibility would be to upgrade the hash in user.conf when a user logs in, not only when he changes his password.

[martinspielmann]

OK, Yes that was my first idea too. I,ll add that tothe PR asap.

EDIT: added automatic hash update when a user logs in.