Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Default Password Alg. settable on the install page #14674

Closed
6543 opened this issue Feb 13, 2021 · 3 comments · Fixed by #14701
Closed

Make Default Password Alg. settable on the install page #14674

6543 opened this issue Feb 13, 2021 · 3 comments · Fixed by #14701
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.

Comments

@6543
Copy link
Member

6543 commented Feb 13, 2021

... we just move back to pbkdf2 but make it settable on the install page with warnings about the issues.

Originally posted by @zeripath in #14294 (comment)
@6543 6543 added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Feb 13, 2021
@6543 6543 mentioned this issue Feb 13, 2021
Merged
@CirnoT
Copy link
Contributor

CirnoT commented Feb 13, 2021
edited
Loading

we just move back to pbkdf2

Please think very carefully about this - this is a clear downgrade in term of security that everyone upgrading will need to address themselves and adjust config accordingly if they don't wish to accept it. Make sure that if you proceed with reverting default algo to pbkdf2, it is clearly communicated in release notes along with example given to users on how to avoid this change happening.

but make it settable on the install page with warnings about the issues.

Nothing against this

@zeripath
Copy link
Contributor

There's a balance here.

Argon2 is clearly causing multiple problems.

I cannot recommend argon2 in good conscience at present.

I agree we need to make this very clear on the blog post releasing the version as it clearly is extreme

@lunny
Copy link
Member

lunny commented Feb 15, 2021

We should notice that on our release notes of v1.13.3 and v1.14.0 .
And we also need an option on install page where we can detect the server's total memory to recommend one algorithm. For memory > 2GB we can recommend argon2 and otherwise pbkdf2 and user still change it to scrypt and others.

And this is only default algorithm, users could still change them on configuration file.

zeripath added a commit to zeripath/gitea that referenced this issue Feb 16, 2021
@zeripath
Add Password Algorithm option to install page
b591ff2 
Fix go-gitea#14674

Signed-off-by: Andrew Thornton <art27@cantab.net>
This was referenced Feb 16, 2021
Merged
Open
6543 pushed a commit that referenced this issue Feb 16, 2021
@zeripath @jolheiser
Add Password Algorithm option to install page (#14701)
ad43b11 
Add Password Algorithm option to install page

Fix #14674 

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
@go-gitea go-gitea locked and limited conversation to collaborators May 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/proposal The new feature has not been accepted yet but needs to be discussed first.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Password Algorithm option to install page zeripath/gitea
4 participants
@lunny @CirnoT @zeripath @6543