[Django] #34661: Peppering user passwords

Fri, 16 Jun 2023 09:55:01 -0700 

#34661: Peppering user passwords
-----------------------------------------+------------------------
               Reporter:  Fatih Erikli   |          Owner:  nobody
                   Type:  Uncategorized  |         Status:  new
              Component:  contrib.auth   |        Version:  4.2
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 Currently a user's password stored in database in this format:

 > <algorithm>$<iterations>$<salt>$<hash>

 The salt is a random generated string per user. Hash (Last column) is the
 password hashed with the stored in previous column.

 Example, these are two computed passwords, stored on database, for the
 same password of two users.

 >
 
pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=
 >
 
pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

 The password is **123456**.

 Imagine I am an attacker, who got the database of different django
 project, I want to look up the users who have the chosen the password
 123456.

 I have the salts of users stored in database.

 > make_password('123456', 'fb9cUsHWK4EMZ7VWGBAcGD')
 >
 
pbkdf2_sha256$600000$fb9cUsHWK4EMZ7VWGBAcGD$2uwiVefFwanIhxLrv+/t3sKvP4X6tDKEMw/ysHD5dIc=

 > make_password('123456', 'HgWHWrF2qQD9Owj4XeEkjY')
 >
 
pbkdf2_sha256$600000$HgWHWrF2qQD9Owj4XeEkjY$rh0qzfo+/ZCzWbL9ZJa8aKhiO5xoEMfT4EtP/+A+LzI=

 These are correct password combinations. I am able to lookup the users who
 have their passwords exposed in public.

 There is one more element needed for hashing the password, **pepper**,
 should be django project specific. Even when a database is exposed, the
 attacker will not be able to lookup the known passwords, since they don't
 have the secret pepper key.

 Is this a known issue?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34661>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070188c5219cca-6d330ded-2d28-4764-acb4-696d19ef3ea5-000000%40eu-central-1.amazonses.com.

Reply via email to