davep, 1 year ago

@atoponce unless you're updating a legacy SHA256 implementation. But maybe salt the initial hash before bcrypt or go the full DropBox with a global AES after bcrypt...

atoponce, 1 year ago

@davep Even if you're migrating algorithms, you can do that without pre-hashing. Just update it on next login:

1. User supplies password.
2. Service verifies SHA-256 hash.
3. Service hashes user password with bcrypt.
4. Service replaces SHA-256 hash with bcrypt hash.

davep, 1 year ago

@atoponce Sure, but that depends on user login which isn't really best practice IMO.

tychotithonus, 1 year ago

@davep @atoponce Unpopular mitigation opinion: if the user hasn't logged in in X days, in order to get rid of all legacy hashes, set their password to something random and trigger a password reset upon next login.

davep, 1 year ago

@tychotithonus @atoponce Both FB and DropBox have used "Onion Hashing" including a global secret either on bastion servers or HSMs and upgraded using legacy-key stretching-encryption (or similar) for the entirety of their user base. There's no friction unlike forcing a password reset.

A huge benefit is that without the master secret it's impossible to brute force. Dropbox use this as the last step so they can rotate their encryption keys if they want to.

Sorry if I'm teaching my Grandmother to suck eggs!