Code review comment for lp:~hazmat/pyjuju/security-specification

Revision history for this message
Kapil Thangavelu (hazmat) wrote :

Excerpts from Clint Byrum's message of Thu Jun 09 23:51:31 UTC 2011:
> Hi Kapil.
> I noticed you're suggesting MD5 for the password hashes. I'd suggest going 1 step further and using multiple iterations of MD5. Grid computing has made cracking a single MD5 password trivial. Hash 200,000 times, and at least you require 200,000 times more power to do a mass dictionary attack (and it shouldn't add much time considering how seldom the actual password will need to be checked.

Its actually not something we control explicitly as what we set for the acl identity token (the username:md5hash) needs to match the enforcement side which is provided by zookeeper. We could in future play around with a zk authentication plugin that we could provide custom logic for, but i think we've deemed modification of zk out of scope for the moment. I agree though that things like cuda/gpugpu programming and the fact that we're manipulating cloud environments, makes brute force attacks more likely and it would be nice to have a more resistant approach.

« Back to merge proposal