10:57 a.m.
We are migrating an older system with a deprecated password hashing
strategy that we want to bring up to modern standard.
There are a range of options for the migration, including:
1. Reset all user passwords (not ideal!)
2. Rehash after successful login (works, but leaves older hashes in
storage until the long tail of users have all logged in)
3. "Rehash the hashes", ie bulk replace the 'oldhash' values with
newhash(oldhash), with a custom verifier that does the double hash;
then do #2 on login.
I'd like input on strategy #3 – ie is there advice from authoritative
sources confirming that this is a secure strategy? It seems fine to my
layperson's eyeballs, and is surely better than leaving old hash
values in storage for a long time. But I'd like reassurance on it, and
can't find anything other than stray Stack Overflow responses[1, 2] or
blog posts[3] discussing it.
[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes
Any suggestions for an authoritative source on this?
cheers
-Aaron
11:23 a.m.
I wonder how do you want to attempt 2 or 3?
I've seen code examples for 2, but they ended up in creating link between keycloak
account and old system database, except of fully replacing old (linked) account with new
one.
How it would be possible 3 without attempt to break existing passwords?
However, our case was specific because we've got existing legacy solution with hashing
algorithm not supported by keycloak. We've ended up with 1. An attempt to implement 2
has failed.
Best regards,
Lukasz Lech
-----Original Message-----
From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org]
On Behalf Of Aaron Harnly
Sent: Mittwoch, 27. März 2019 16:57
To: keycloak-user(a)lists.jboss.org
Subject: [keycloak-user] Password hash migration: what authority says "rehash the
hash" is a good strategy?
We are migrating an older system with a deprecated password hashing strategy that we want
to bring up to modern standard.
There are a range of options for the migration, including:
1. Reset all user passwords (not ideal!) 2. Rehash after successful login (works, but
leaves older hashes in storage until the long tail of users have all logged in) 3.
"Rehash the hashes", ie bulk replace the 'oldhash' values with
newhash(oldhash), with a custom verifier that does the double hash; then do #2 on login.
I'd like input on strategy #3 – ie is there advice from authoritative sources
confirming that this is a secure strategy? It seems fine to my layperson's eyeballs,
and is surely better than leaving old hash values in storage for a long time. But I'd
like reassurance on it, and can't find anything other than stray Stack Overflow
responses[1, 2] or blog posts[3] discussing it.
[1]: https://crypto.stackexchange.com/q/2945
[2]: https://security.stackexchange.com/a/17294
[3]: https://www.michalspacek.com/upgrading-existing-password-hashes
Any suggestions for an authoritative source on this?
cheers
-Aaron
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2114
days inactive
2114
days old
1 comments
2 participants
participants (2)
-
Aaron Harnly -
Lukasz Lech