Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider the future of passlib and password hashing/upgrading #15454

Open
miketheman opened this issue Feb 22, 2024 · 0 comments
Open

Consider the future of passlib and password hashing/upgrading #15454

miketheman opened this issue Feb 22, 2024 · 0 comments
Labels
needs discussion a product management/policy issue maintainers and users should discuss security Security-related issues and pull requests

Comments

@miketheman
Copy link
Member

We use passlib in warehouse as part of our user account management service:

warehouse/warehouse/accounts/services.py

Lines 79 to 93 in 26a3446

self.hasher = CryptContext(
schemes=[
"argon2",
"bcrypt_sha256",
"bcrypt",
"django_bcrypt",
"unix_disabled",
],
deprecated=["auto"],
truncate_error=True,
# Argon 2 Configuration
argon2__memory_cost=1024,
argon2__parallelism=6,
argon2__time_cost=6,
)

The TL;DR of what this does is allows user password hash algorithms to evolve over time, and as users log in with their passwords they are confirmed and replaced with the newer (presumably more secure) hash algorithms, preventing the user from needing to reset a password only to get the latest and greatest algorithm.

passlib hasher docs can be found here: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html

The most recent release of passlib was in 2020, and raises warnings for using crpyt, which will turn into breakages under Python 3.13, so this is not yet a blocker, it's something we should consider long before it becomes one.

Here's an issue for maintenance status that has yet to be resolved, either by nominating new maintainers, or some other resolution.

In the interim another contender has emerged - pwdlib (author launch blog post), which appears to have argon2 and bcrypt support.

So in theory, we could leverage pwdlib and continue to leverage the upgradability-behavior, however we'd still need to account for folks that have yet to log in in modern times and the lack of older algo support in pwdlib.
pwdlib also does not yet support disable() or is_enabled() which we use today, but could be replaced by using the boolean flag User.is_active or such.

Alternately, since it's not urgent yet, we can continue to observe the evolving space around passlib and hope that a new maintenance team arises before it becomes a severe issue.

Some SQL counting:

warehouse=> SELECT
  CASE
    WHEN password LIKE '$argon2%' THEN 'argon2'
    WHEN password LIKE '$bcrypt-sha256%' THEN 'bcrypt_sha256'
    WHEN password LIKE '$2b$%' THEN 'bcrypt'
    WHEN password LIKE 'bcrypt$%' THEN 'django_bcrypt'
    WHEN password LIKE 'spammer' THEN 'disabled'
    WHEN password LIKE '!' THEN 'disabled'
    ELSE 'other'
  END AS hash_type,
  COUNT(*)
FROM users
GROUP BY hash_type
ORDER BY COUNT(*) DESC;
   hash_type   | count
---------------+--------
 argon2        | 671847
 bcrypt_sha256 |  76452
 disabled      |  28087
 django_bcrypt |  10930
(4 rows)
@miketheman miketheman added needs discussion a product management/policy issue maintainers and users should discuss security Security-related issues and pull requests labels Feb 22, 2024
@miketheman miketheman mentioned this issue Feb 22, 2024
Open
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs discussion a product management/policy issue maintainers and users should discuss security Security-related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miketheman