SRP should use scrypt to strengthen the password before the srp dance
We're still using plain passwords to do the SRP dance. SRP then does SHA256 for the verifier which is meant to be fast.
I think i pointed this out before but let me stress this again. If someone gets hold of the verifier (say by exploiting a bug in the webapp) they can bruteforce the SHA256. Now you might say at least it's not MD5 - but the difference between the two is for generating collisions. They both are hash functions - not key derivation functions
- which means they are optimized for speed and easily parallelized.
Hashcat[1] will give you 14 Ghz at hashing on a single machine with 8 graphics cards (PC3). That is cracking 34 bits of entropy in a second. Using the xkcd password strength meter[2] that is equivalent to cracking Tr0ub4dor&3 64 times. "correct horse battery staple" would take 16 minutes.
Scary - in particular if that also means being able to read all those nicely encrypted emails you received and send.
Interestingly firefox sync had a similar problem to solve[3]. They came up with a solution[4] very similar to what we have been using but used scypt[5] to strengthen the password before the srp dance. They ended up dropping srp all together and rely on TLS in order to be able to run scrypt on the server instead of the client and get stronger keystretching on mobile phones.
I think we should add scrypt to the mix as soon as possible and upgrade the existing passwords. It might be slow on mobile but even a weak scrypt would get us a long way.
My understanding is that this would be a client only change. The client would have to authenticate with the old non-scrypted password and then replace it with a scrypted version. Same goes for the javascript auth on the website. There's a plain js version of scrypt. So that should help. Otherwise i would have prefered argon2 - the winner of the password hashing contest. But i have not found any pure js version of it (yet).
[1] https://hashcat.net/oclhashcat/ [2] https://xkcd.com/936/ [3] https://www.youtube.com/watch?v=G16rOGmpBUc [4] https://wiki.mozilla.org/Identity/AttachedServices/KeyServerProtocol [5] https://www.tarsnap.com/scrypt/scrypt.pdf
(from redmine: created on 2016-03-28, relates #6398 (closed))