Add pepper to password hashing

Signed-off-by: Kent Shikama <kent@kentshikama.com>
2024-06-18 10:38:21 +02:00 · 2016-07-05 02:13:52 +09:00 · 2016-07-05 02:13:52 +09:00 · 8bdaf5f7af
parent 3de8168343
commit 8bdaf5f7af
2 changed files with 8 additions and 3 deletions
--- a/synapse/config/password.py
+++ b/synapse/config/password.py
@ -23,10 +23,14 @@ class PasswordConfig(Config):
    def read_config(self, config):
        password_config = config.get("password_config", {})
        self.password_enabled = password_config.get("enabled", True)
+        self.pepper = password_config.get("pepper", "")

    def default_config(self, config_dir_path, server_name, **kwargs):
        return """
        # Enable password for login.
        password_config:
           enabled: true
-        """
+           # Uncomment for extra security for your passwords.
+           # DO NOT CHANGE THIS AFTER INITIAL SETUP!
+           #pepper: "HR32t0xZcQnzn3O0ZkEVuetdFvH1W6TeEPw6JjH0Cl+qflVOseGyFJlJR7ACLnywjN9"
+        """
--- a/synapse/handlers/auth.py
+++ b/synapse/handlers/auth.py
@ -750,7 +750,7 @@ class AuthHandler(BaseHandler):
        Returns:
            Hashed password (str).
        """
-        return bcrypt.hashpw(password, bcrypt.gensalt(self.bcrypt_rounds))
+        return bcrypt.hashpw(password + self.hs.config.password_config.pepper, bcrypt.gensalt(self.bcrypt_rounds))

    def validate_hash(self, password, stored_hash):
        """Validates that self.hash(password) == stored_hash.
@ -763,6 +763,7 @@ class AuthHandler(BaseHandler):
            Whether self.hash(password) == stored_hash (bool).
        """
        if stored_hash:
-            return bcrypt.hashpw(password, stored_hash.encode('utf-8')) == stored_hash
+            return bcrypt.hashpw(password + self.hs.config.password_config.pepper,
+                                 stored_hash.encode('utf-8')) == stored_hash
        else:
            return False