Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-6949

Update the hash algorithm of password

    Details

      Description

      Reason

      SHA-1 to protect password is now considered as less and less secure (more explanations : https://www.incapsula.com/blog/sha-1-hash-algorithm-deprecation.html).

      So we should upgrade for a stronger hash function implementation, we choose bcrypt for the time being.

      How to change hashed passwords ?

      Since passwords are hashed in the database, migrate all passwords to the new algorithm is not possible. So SonarQube must be able to keep old SHA1 hash and salt but must upgrade the hash. This is done as soon as the user :

      • log in SonarQube,
      • change his password
      Technical details :

      There are multiple implementations that are sufficient for the time being :

      • bcrypt,
      • scrypt,
      • Argon2,
      • PBKDF2 (even if it's less secured)

      Some litterature about cryptographic hash function :

      Java Implementations :

      There is no good implementation in pure Java for Argon2, let's keep using bcrypt with jBCrypt

        Attachments

          Activity

            People

            • Assignee:
              eric.hartmann Eric Hartmann
              Reporter:
              eric.hartmann Eric Hartmann
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: