Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-6949

Update the hash algorithm of password

    XMLWordPrintable

    Details

      Description

      Reason

      SHA-1 to protect password is now considered as less and less secure (more explanations : https://www.incapsula.com/blog/sha-1-hash-algorithm-deprecation.html).

      So we should upgrade for a stronger hash function implementation, we choose bcrypt for the time being.

      How to change hashed passwords ?

      Since passwords are hashed in the database, migrate all passwords to the new algorithm is not possible. So SonarQube must be able to keep old SHA1 hash and salt but must upgrade the hash. This is done as soon as the user :

      • log in SonarQube,
      • change his password
      Technical details :

      There are multiple implementations that are sufficient for the time being :

      • bcrypt,
      • scrypt,
      • Argon2,
      • PBKDF2 (even if it's less secured)

      Some litterature about cryptographic hash function :

      Java Implementations :

      There is no good implementation in pure Java for Argon2, let's keep using bcrypt with jBCrypt

        Attachments

          Activity

            People

            Assignee:
            eric.hartmann Eric Hartmann
            Reporter:
            eric.hartmann Eric Hartmann
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: