[open-ils-commits] [GIT] Evergreen ILS branch rel_2_10 updated. 6ce4384ce50ef2dd688834aa62966bb7aa6a9500

Evergreen Git git at git.evergreen-ils.org
Thu Mar 3 11:47:51 EST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_10 has been updated
       via  6ce4384ce50ef2dd688834aa62966bb7aa6a9500 (commit)
      from  763c4e7a716154c7ea2ce24cf85f6cd5ad70bcee (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6ce4384ce50ef2dd688834aa62966bb7aa6a9500
Author: Bill Erickson <berickxx at gmail.com>
Date:   Thu Mar 3 11:43:10 2016 -0500

    2.10 release notes password work factor
    
    Adding documentation on modifying password encryption work factor to
    2.10 release notes.
    
    Signed-off-by: Bill Erickson <berickxx at gmail.com>
    Signed-off-by: Galen Charlton <gmc at esilibrary.com>

diff --git a/docs/RELEASE_NOTES_2_10.adoc b/docs/RELEASE_NOTES_2_10.adoc
index b7dd8e0..dcb66e6 100644
--- a/docs/RELEASE_NOTES_2_10.adoc
+++ b/docs/RELEASE_NOTES_2_10.adoc
@@ -281,6 +281,46 @@ whether a patron logs back into the system.
 Beware that doing this for all users in the a large database will 
 take some time and should probably be performed in batches.
 
+Changing Encryption Work Factor
++++++++++++++++++++++++++++++++
+
+Roughly speaking, the 'work factor' determines the amount of time/effort
+required to crack passwords.  The higher the value, the more secure the
+password.  Higher values also mean that it takes longer for password
+verification (e.g. during login) to work.
+
+At time of release, Evergreen uses a work factor value of 10.  The value
+is set in the database table/column actor.passwd_type.iter_count (hash
+iteration count).  When this value is modified, any passwords created or
+modified after the change will use the new work factor.  Other passwords
+will continue using the work factor in place when they were
+created/modified, until they are changed once again.
+
+Beware that raising the work factor can have a significant impact on
+login speeds.  A work factor of 10 requires ~0.1 seconds to verify a
+password.  A work factor of 15 takes almost 2 full seconds!  Also beware
+that once a password is encoded with a higher work factor, it cannot be
+lowered again through any automatic means.  The owner of the password
+would have to login and modify the password after the work factor is
+re-lowered.
+
+Because of this, it's recommended that admins thoroughly test work
+factor modifications before deploying to production.
+
+To check encryption timing:
+
+[source,sq]
+--------------------------------------------------------------------------
+-- enable psql timing
+evergreen=# \timing
+
+-- encode password "HELLOWORLD" with a work factor of 10.
+evergreen=# select crypt('HELLOWORLD', gen_salt('bf', 10));
+(1 row)
+
+Time: 95.082 ms
+--------------------------------------------------------------------------
+
 open-ils.auth_internal
 ++++++++++++++++++++++
 To support the new storage mechanism, a new Evergreen service has

-----------------------------------------------------------------------

Summary of changes:
 docs/RELEASE_NOTES_2_10.adoc |   40 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 40 insertions(+), 0 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list