Skip to content

Tech debt: Update implementation of PBKDF2+SHA512 user password hashing implies it is the default when it is not

Problem

Risks for GitLab.com security , and availability :

  1. There is risk of enabling pbkdf2_password_encryption_write by accident in GitLab.com when we want to retain BCrypt
  2. https://docs.gitlab.com/ee/security/password_storage.html#password-storage says BCrypt is default
  3. Because feature flags are enabled by default in test, we are testing for PBKDF2+SHA512, and not for BCrypt.

Proposal

  1. Remove the read feature flag so that any GitLab instance can read BCrypt or PBKDF2+SHA512 passwords without issues.
  2. Refactor the code so it doesn't look like PBKDF2+SHA512 is the default mechanism. We should allow the write strategy to change depending on application config, or FIPS enabled.

#367147 (comment 1035749346)

/cc @dblessing @nmalcolm @stanhu @jarka @hsutor

Edited by Thong Kuah