[bitfolk] Please log in to the Panel web site to upgrade you…

Top Page
Author: Andy Smith
Date:  
To: announce
New-Topics: [bitfolk] Password hashes, was Re: Please log in...
Subject: [bitfolk] Please log in to the Panel web site to upgrade your password hash

Reply to this message
gpg: Signature made Fri Dec 28 21:22:15 2018 UTC using DSA key ID BF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>"
gpg: aka "Andrew James Smith <andy@strugglers.net>"
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>"
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>"
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>"
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>"
Hi,

== Short version

Please log in to https://panel.bitfolk.com/ to facilitate an upgrade
of the secure hash function used to protect your BitFolk password.

== Longer version

I've recently performed a major upgrade on our LDAP servers
(skipping multiple OS releases), and have taken the opportunity to
review what algorithms are used for protecting your BitFolk account
passwords.

We have been using the same LDAP directory since the beginning of
BitFolk in 2007 and the options for hash functions were a bit more
limited back then. Although I have changed the default algorithm
several times as servers were upgraded, once a given algorithm is
used for a user it is not changed until the user changes their
password.

So, worst case, if you have been a customer for 10 years and have
never changed your account password, it is currently hashed with an
algorithm which would today be considered obsolete for that purpose.

Sadly we cannot just upgrade everyone's hash scheme because we don't
know your passwords!

I have added functionality to the Panel web site to check which hash
algorithm is in use when you log in and if it isn't the new default
it sets your password to the same as the one you just supplied at
login. This upgrades you to the new default hash algorithm.

Therefore it would be good if you could take the time to log in to
https://panel.bitfolk.com/

If you do a password reset then it will also upgrade when you follow
the link to log in with the randomly-generated password. Also if you
change your password it will upgrade.

There is no visual feedback of this change happening, so you'll just
have to trust that it has. It is logged though, so I can tell you if
you want to know.

I'm afraid you will need to do this with each account you have, if
you have multiple VPSes.

=== What are cryptographic hash functions?

They're algorithms which map arbitrary data (your password) into an
output string of a fixed size, in a way which is not feasible to
reverse. We store the output in our password database, and if our
database (the LDAP directory) is ever leaked or stolen then we will
have some small comfort that the attacker would not be able to
immediately read your passwords in clear text.

=== Why do they need to change?

Computers get faster and flaws are discovered in algorithms. What
was once considered too difficult to brute-force can now be done in
seconds with a single computer. The ability to spin up a set of
servers with 1,000 GPUs is within the reach of many people.

=== Are you telling us to do this because there has been a
compromise?

No. It's just that there was a major upgrade in the last week which
everyone would benefit from; particularly the longest-standing
customers who will be stuck on algorithms older than the previous
default.

The other option would have been to invalidate everyone's passwords,
forcing a mass password change. That seemed likely to foster
speculation of compromise, and be a real annoyance besides.

=== Which algorithms are in use? What's the new default?

I'm afraid I would rather not comment on the specific algorithms
involved, but it's already public knowledge that we use OpenLDAP.
Here is documentation showing the options:

    http://www.openldap.org/doc/admin24/guide.html#Password%20Storage


…and this article gives some more modern (2016) recommendations:

    https://www.redpill-linpro.com/techblog/2016/08/16/ldap-password-hash.html


=== I'm confused; is something going to break if I don't take
action?

No. You can do nothing and your password will stay working and
protected with the same algorithm that was the default the last time
you changed your password (or when your account was created). Next
time you log in to the Panel (or do a password reset, or change your
password) it will be upgraded.

I just thought that I'd let people know they can influence things
sooner if they want to. Some customers have never logged in to the
Panel site, so their password hashes might never be upgraded
otherwise.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce@???
https://lists.bitfolk.com/mailman/listinfo/announce