nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-06-10 11:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

settings: Choose password hashing complexity suitable for SBCs

Browse Source 
- Django 3.2 has a argon2 password hashing complexity unsuitable for single
board computers. Choose parameters suitable for Olimex Lime2 boards.

Tests:

- In a browser, login to a user without these changes. Notice the hash
parameters in sqlite3 auth_user table. Login with the changes. Notice that the
hash has been updated with latest has parameters.

- Login in Django 2.2 and Django 3.2. Login succeeds and hash parameters are
updated.

- As measured by the browser. Notice that change in login request time with and
without these changes

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This commit is contained in:
Sunil Mohan Adapa 2021-09-22 10:36:52 -07:00 committed by James Valleroy
parent 99c2325206
commit 17a83dee60
No known key found for this signature in database
GPG Key ID: 77C0C75E7B650808
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
plinth/hashers.py Normal file
View File

@ -0,0 +1,34 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
"""
Custom password hashers suitable for home servers.
"""
from django.contrib.auth.hashers import Argon2PasswordHasher
class Argon2PasswordHasherLowMemory(Argon2PasswordHasher):
"""Argon2 password hasher that uses less CPU and RAM than Django's default.
Derive from and override the default complexity parameters for Django. In
Django 2.2, the defaults are time: 2, memory: 512 and parallelism: 2. In
Django 3.2, the defaults are time: 2, memory: 102400, parallelism: 8. This
takes more than 3 seconds per verification on a Lime2 board.
On a Pioneer Edition, Olimex Lime2 board, the selected parameters result in
about 200ms for password verification:
$ python3 -m argon2 -p 2 -m 4096
Running Argon2id 100 times with:
hash_len: 16 bytes
memory_cost: 4096 KiB
parallelism: 2 threads
time_cost: 2 iterations
Measuring...
2.17e+02ms per password verification
"""
time_cost = 2 # Iterations
memory_cost = 4096 # KiB
parallelism = 2 # Threads

2
plinth/settings.py
View File

@ -131,7 +131,7 @@ MIDDLEWARE = (
)
PASSWORD_HASHERS = [
'django.contrib.auth.hashers.Argon2PasswordHasher',
'plinth.hashers.Argon2PasswordHasherLowMemory',
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',