You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hapi v13.0.0 is a tiny release with a single change to ensure passwords passed internally to the iron module are sufficiently long (a new minimum length of 32 characters). This release will simply assert if short passwords are passed. This is a critical verification as short password are easy to exploit with a brute force.
Upgrade time: low - no time to a couple of hours for most users
Risk: low - low risk of side effects and no changes to keep track of overall
Dependencies: low- applies to a single API call
Thanks to @tomsteele for his help with this release.
Sponsor
The v13.0.0 major release is sponsored by Sideway.
Breaking Changes
Requires passwords used to encrypt or sign cookies to be at least 32 character long.
New Features
None.
Bug fixes
None.
Updated dependencies
iron from v3.0.1 to v4.0.0
statehood from v3.1.0 to v4.0.0
Migration Checklist
Password length
The new requirement will cause invalid configurations to fail with an error that the password string is too short. This is a good thing - you want it to fail because if your password is indeed too short, you are at real risk of being exploited. Because the internal encryption mechanism uses the pbkdf2 algorithm with a single iteration to generate the keys, it is a pretty quick operation. Because the method is called on every incoming request, increasing the iteration count would have a linear negative impact on performance. To avoid that, a long password creates far too many possible password combination for an attacker to try in a timely manner.
Checklist:
Check your code for calls to server.state() or connection state configuration for password or sign.password and if present ensure you are passing a string that is at least 32 characters long.
The text was updated successfully, but these errors were encountered:
Summary
hapi v13.0.0 is a tiny release with a single change to ensure passwords passed internally to the iron module are sufficiently long (a new minimum length of 32 characters). This release will simply assert if short passwords are passed. This is a critical verification as short password are easy to exploit with a brute force.
Thanks to @tomsteele for his help with this release.
Sponsor
The v13.0.0 major release is sponsored by Sideway.
Breaking Changes
New Features
None.
Bug fixes
None.
Updated dependencies
Migration Checklist
Password length
The new requirement will cause invalid configurations to fail with an error that the password string is too short. This is a good thing - you want it to fail because if your password is indeed too short, you are at real risk of being exploited. Because the internal encryption mechanism uses the pbkdf2 algorithm with a single iteration to generate the keys, it is a pretty quick operation. Because the method is called on every incoming request, increasing the iteration count would have a linear negative impact on performance. To avoid that, a long password creates far too many possible password combination for an attacker to try in a timely manner.
Checklist:
server.state()
or connectionstate
configuration forpassword
orsign.password
and if present ensure you are passing a string that is at least 32 characters long.The text was updated successfully, but these errors were encountered: