Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16503

documentation for SHA1 function tells user SHA2 is a secure way to store passwords




      The online documentation for function SHA1 (https://mariadb.com/kb/en/library/sha1/) says:

      "SHA1 is no longer considered cryptographically secure, and should not be used for password hashing."


      "SHA1 is no longer considered cryptographically secure, so for storing passwords, consider a more cryptographically secure function, such as SHA2()."

      Both of those sentences are super bad advice. Naive application developers might believe the developers of the mariadb RDBMS know what they're talking about and consider the advice authoritative and develop insecure applications. This is like create a bug in example code and then being surprised this bug is copy-pasted into production.

      Using any hash function, whether it's secure against collisions or not, directly to store passwords, even with long per-user salt, is extremely insecure, because password cracking rigs use multiple GPUs to check billions of combinations per second.

      NIST sp800-63b says:

      "Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack."

      It is possible to build a secure password storage system using SHA1 or SHA2, but not by just adding salt and a loop. PBKDF2, the least secure password hashing method that is still secure, is not just a loop over sha. It is not memory-hard, which even NIST now says you should use because of GPUs. bcrypt is better than PBKDF2, scrypt is better than bcrypt, argon2 is better than scrypt.

      If you are uncomfortable recommending specific secure password hashes (this is indeed not your job), just change the documentation to say "Don't use sha1 or sha2 to store passwords, use a real password storage format like PBKDF2, bcrypt or Argon2".




            greenman Ian Gilfillan
            zt_initech ZT
            0 Vote for this issue
            4 Start watching this issue



                Git Integration