Increase hashing iterations for D7 and D8. [#1203852]

Thanks to Moore's law, we need to regularly increase the hash count to keep our password hashing at a constant resistance to cracking.

For more information see: #1201444: Strenghten password hashing mechanism and #29706: More secure password hashing and http://api.drupal.org/api/drupal/includes--password.inc/constant/DRUPAL_...

I wrote the comment about increasing this every version assuming we were on ~18-24 month release cycles. Since D7 stretched out more, I think we should increase now by 1 for D7 and 2 for D8.

Comment	File	Size	Author
#2	1203852-hash-count-D7-2.patch	461 bytes	pwolanin
#1	1203852-hash-count-D7-1.patch	461 bytes	pwolanin
#1	1203852-hash-count-D8-1.patch	461 bytes	pwolanin

Comments

Comment #1

pwolanin commented 29 June 2011 at 13:09

Status:

Active

» Needs review

Status	File	Size
new	1203852-hash-count-D8-1.patch	461 bytes
new	1203852-hash-count-D7-1.patch	461 bytes

Here are 2 trivial patches to make that change for 7 and 8.

Comment #2

pwolanin commented 29 June 2011 at 13:10

Status	File	Size
new	1203852-hash-count-D7-2.patch	461 bytes

oops - those were both the same - here's the one for D7.

Comment #3

pwolanin commented 29 June 2011 at 13:13

Issue tags:

+Needs backport to D7

Incrementing the hash periodically makes sense, but we should sanity-check the execution time. 2^14 rounds takes about 65ms on a core 2 duo. Do we have a target in mind for the wall time? One concern is clock rates have not changed much since this was originally committed in 2008. Moore's law has given us more cores, but this is the wrong kind of asymmetry - attackers can crack in parallel, but an individual login cannot run _password_crypt() in parallel.

pwolanin didn't mention it, but the count is stored embedded in the hash - so old passwords will continue to work (and will be re-hashed automatically as users log in).