issue2551253. default hash is PBKDF2-SHA512.

The default password hashing algorithm has been upgraded to
PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
config file has been changed to 250000.

Doc updated.

Author: rouilj

CHANGES.txt

@@ -49,6 +49,13 @@ Fixed:
 - issue2551383 - Setting same address via REST PUT command results in
   an error. Now the userauditor does not trigger an error if a user
   sets the primary address to the existing value. (John Rouillard)
+- issue2551253 - Modify password PBKDF2 method to use SHA512. The
+  default password hashing algorithm has been upgraded to
+  PBKDF2-SHA512 from PBKDF2-SHA1. The default pbkdf2 rounds in the
+  config file has been changed to 250000. The admin should change it
+  manually if it is at 2 million. PBKDF2-SHA512 (PBKDF2S5) has been
+  available since release 2.3, but it required a manual step to make
+  it the default. (John Rouillard)
 
 Features:
 

doc/upgrading.txt

@@ -159,6 +159,41 @@ following diff::
 add the lines marked with ``+`` in the file in the location after
 check_main is assigned.
 
+Modify config.ini password_pbkdf2_default_rounds setting (recommended)
+----------------------------------------------------------------------
+
+The method for hashing and storing passwords has been updated to use
+PBKDF2 with SHA512 hash. This change was first introduced in Roundup
+2.3 and is now the standard. If you previously added code in
+interfaces.py for a `PBKDF2 upgrade`_ to enable PBKDF2S5, you can
+remove that code now.
+
+SHA512 is a more secure hash, it requires fewer rounds to ensure
+safety. The older PBKDF2-SHA1 needed around 2 million rounds.
+
+You should update the ``password_pbkdf2_default_rounds`` setting in
+``config.ini`` to 250000. This value is higher than the OWASP
+recommendation of 210000 from three years ago. If you don’t make this
+change, logins will be slow, especially for REST or XMLRPC calls.
+
+See `PBKDF2 upgrade`_ for details on how to test the algorithm's
+speed. We do not recommend reverting to the older SHA1 PBKDF2. If you
+have to do so due to a slow CPU, you can add the following to your
+tracker's ``interfaces.py``::
+
+  from roundup.password import Password
+  ## Use PBDKF2 (PBKDF2-SHA1) as default hash for passwords.
+  # That scheme is at the start of the deprecated_schemes list and ha
+  # to be removed.
+  Password.default_scheme = Password.deprecated_schemes.pop(0)
+  # Add PBKDF2S5 (PBKDF2-SHA512) as a valid scheme. Passwords
+  # using it will be rehashed to use PBDKF2.
+  Password.experimental_schemes[0] = "PBKDF2S5"
+
+If you proceed with this, you should set
+``password_pbkdf2_default_rounds`` to 2 million or more rounds to keep
+your hashed password database secure in case it gets stolen.
+
 Defusedxml support improves XMLRPC security (optional)
 ------------------------------------------------------
 
@@ -1292,6 +1327,8 @@ install an OS vendor package or some other library.
 
 .. _recommended setting of 1,300,000: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
 
+.. _PBKDF2 upgrade:
+
 Upgrade to PBKDF2-SHA512 from current PBKDF2-SHA1 (recommended)
 ---------------------------------------------------------------
 

roundup/configuration.py

@@ -1139,10 +1139,11 @@ def str2value(self, value):
             "get the error 'Error: field larger than field limit' during\n"
             "import."),
         (IntegerNumberGeqZeroOption, 'password_pbkdf2_default_rounds',
-         '2000000',
+         '250000',
             "Sets the default number of rounds used when encoding passwords\n"
-            "using the PBKDF2 scheme. Set this to a higher value on faster\n"
-            "systems which want more security.\n"
+            "using any PBKDF2 scheme. Set this to a higher value on faster\n"
+            "systems which want more security. Use a minimum of 250000\n"
+            "for PBKDF2-SHA512 which is the default hash in Roundup 2.5.\n"
             "PBKDF2 (Password-Based Key Derivation Function) is a\n"
             "password hashing mechanism that derives hash from the\n"
             "password and a random salt. For authentication this process\n"

roundup/password.py

@@ -331,7 +331,7 @@ class JournalPassword:
         version only reads the encryption scheme from the given
         encrypted password.
     """
-    default_scheme = 'PBKDF2'        # new encryptions use this scheme
+    default_scheme = 'PBKDF2S5'        # new encryptions use this scheme
     pwre = re.compile(r'{(\w+)}(.+)')
 
     def __init__(self, encrypted=''):
@@ -394,12 +394,12 @@ class Password(JournalPassword):
     1
     """
 
-    deprecated_schemes = ["SSHA", "SHA", "MD5", "plaintext"]
+    deprecated_schemes = ["PBKDF2", "SSHA", "SHA", "MD5", "plaintext"]
     if crypt:
         # place just before plaintext if crypt is available
         deprecated_schemes.insert(-1, "crypt")
-    experimental_schemes = ["PBKDF2S5"]
-    known_schemes = ["PBKDF2"] + experimental_schemes + \
+    experimental_schemes = []
+    known_schemes = ["PBKDF2S5"] + experimental_schemes + \
         deprecated_schemes
 
     def __init__(self, plaintext=None, scheme=None, encrypted=None,
@@ -442,6 +442,19 @@ def needs_migration(self, config):
                     new_rounds = 1000
             if rounds < int(new_rounds):
                 return True
+
+        if (self.scheme == "PBKDF2S5"):
+            new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
+            if ("pytest" in sys.modules and
+                "PYTEST_CURRENT_TEST" in os.environ):
+                if ("PYTEST_USE_CONFIG" in os.environ):
+                    new_rounds = config.PASSWORD_PBKDF2_DEFAULT_ROUNDS
+                else:
+                    # for testing
+                    new_rounds = 1000
+            if rounds < int(new_rounds):
+                return True
+
         return False
 
     def unpack(self, encrypted, scheme=None, strict=False, config=None):