Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67774

Allow option of specifying password peppers in config.php to complement salt

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Future Dev
    • Fix Version/s: None
    • Component/s: Authentication

      Description

      NIST guidelines from 2017 recommend a pepper as well as a salt, see:

      https://en.wikipedia.org/wiki/Pepper_(cryptography)

      Roughly, a pepper is a component of the salt, but stored separately and in this case would be in config.php. By splitting them it means that if the db is compromised the partial hashes are useless.

      Unlike a salt, the pepper is not unique and would be shared for all users, and must be kept secret.

      I would also want a simple method to allow multiple peppers so they can be rotated like:

       

      $CFG->passwordpeppers = [
          '2019' => 'blahsecret45678',
          '2018' => 'blahsecret12345',
      ];

       

       

      Whenever we confirm hashes we'll check against all peppers but upgrade it to the latest one which is first in the list.

      The pepper needs to have a decent amount of entropy so I'd throw a config exception if the primary pepper is too short, min 112 bits of entropy, so the pepper itself cannot be easily brute forced if you have a known password + hash combo.

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              brendanheywood Brendan Heywood
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: