[wp-trac] [WordPress Trac] #21022: Use bcrypt for password hashing; updating old hashes
WordPress Trac
noreply at wordpress.org
Wed Sep 18 05:59:37 UTC 2019
#21022: Use bcrypt for password hashing; updating old hashes
-------------------------------------------------+-------------------------
Reporter: th23 | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Future
| Release
Component: Security | Version: 3.4
Severity: major | Resolution:
Keywords: 2nd-opinion has-patch needs-testing | Focuses:
dev-feedback |
-------------------------------------------------+-------------------------
Comment (by paragoninitiativeenterprises):
> now the prehash is down to 88 characters, respectable, but we can do
better, was what I thought, and brought base91 to the table.
There's a subtle reason why we recommended Base64: Migrating from base-256
(raw bytes) to any base-N (where N is a power of 2) is easy to implement
using constant-time arithmetic. For example:
https://github.com/paragonie/constant_time_encoding/blob/55af0dc01992b4d0da7f6372e2eac097bbbaffdb/src/Base64.php#L213-L270
When your new base is not an even power of 2, you have to deal with non-
constant-time operations. This isn't straightforward: Even multiplying two
integers can leak timing information on some processors.
https://www.bearssl.org/ctmul.html
RFC 4648 defines several binary-safe encodings that we can use: Base16
(Hex), Base32, Base32Hex, Base64, and Base64Url.
However, we don't actually need '''binary-safe''' here, what we need is
simply "no NUL characters" (without introducing timing leaks would be
preferred).
If we really wanted to squeeze as much of the SHA512 hash into the 72
character real estate as possible, we could define an alternative
"Base128" where all of the output characters have the high bit set (i.e.
they occupy the range `\x80 - \xFF`; the complement to ASCII) and use that
instead of Base64. This gives us a binary blow-up of 8/7 which comes out
to about 74 characters and is guaranteed to never have a NUL byte. (For
the purposes of this discussion, since the high bit is set, let's call
this hypothetical "Noble-128" so it doesn't get mistaken for an RFC 4648
approved standard.)
And such an algorithm would be easy to implement: Take 7 bits of input,
prefix it with 1 bit, that's your output. (You can even use the standard
`=` padding character for uneven inputs, since it's not a valid member of
the `\x80-\xFF` keyspace.)
Is this worth the extra engineering effort? Well, the keyspace of a
base64-encoded SHA512 hash is roughly 432 bits.
You won't ever need more than 256. https://pthree.org/2016/06/19/the-
physics-of-brute-force
In my opinion, bcrypt-sha512-base64 is the most elegant solution available
to WordPress with a PHP 5.6 minimum version. Mostly because it's a one-
liner and doesn't require a custom encoding scheme be created.
We can bikeshed this further, but a successful argument against base64
here means more technical debt and adding code that mere mortals do not
understand in the WordPress codebase.
Of course, if that's worth squeezing an extra 72 bits out of something
that's already 174 bits in excessive of a generous security boundary, I'm
happy to hear you out.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/21022#comment:120>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list