Skip to content

Hash passwords with PBKDF2+SHA512

Drew Blessing requested to merge dblessing_pbkdf2_passwords into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Part 2 of #360658 (closed). Utilize the previously vendored devise-pbkdf2-sha512 gem to now hash user passwords with PBKDF2+SHA512. This will opportunistically migrate existing BCrypt-encrypted passwords to the new hash format.

Feature Flags

This MR includes two feature flags.

  • pbkdf2_password_encryption is the over-arching feature flag determining whether this feature will be utilized.
  • pbkdf2_password_encryption_write is the flag that determines whether new user passwords will use the new hash format, and whether existing users will be opportunistically migrated. This flag is scoped to users.

These two flags should be initially enabled at the same time. The pbkdf2_password_encryption_write flag can utilize a percentage rollout if desired. Then if we encounter any problems we can disable just the pbkdf2_password_encryption_write flag, preventing further users from using the new format. However, users that already have the new format can continue to sign-in successfully as long as pbkdf2_password_encryption remains enabled.

If both flags need to be disabled, any user with a password stored in the new format will be unable to sign in and will require a password reset.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports

Loading