[feat] Use Argon2 password hashes #403

New issue

Closed

opened 2022-12-28 18:33:41 +00:00 by norm · 2 comments

norm commented 2022-12-28 18:33:41 +00:00

Contributor

Copy link

The idea

Akkoma should use a more modern password hashing algorithm like Argon2 to make passwords harder to crack in the event of a database leak.

There is an Elixir implementation of Argon2: https://hex.pm/packages/argon2_elixir.

The reasoning

Akkoma currently uses PBKDF2 as its password hashing algorithm. However, it relatively easy to brute force with GPUs and ASICs compared to more modern hashing algoirthms.

Have you searched for this feature request?

• I have double-checked and have not found this feature request mentioned anywhere.
• This feature is related to the Akkoma backend specifically, and not pleroma-fe.

### The idea Akkoma should use a more modern password hashing algorithm like [Argon2](https://en.wikipedia.org/wiki/Argon2) to make passwords harder to crack in the event of a database leak. There is an Elixir implementation of Argon2: https://hex.pm/packages/argon2_elixir. ### The reasoning Akkoma currently uses PBKDF2 as its password hashing algorithm. However, it relatively easy to brute force with GPUs and ASICs compared to more modern hashing algoirthms. ### Have you searched for this feature request? - [x] I have double-checked and have not found this feature request mentioned anywhere. - [x] This feature is related to the Akkoma backend specifically, and not pleroma-fe.

norm added the

feature request

label 2022-12-28 18:33:41 +00:00

floatingghost commented 2022-12-29 17:43:16 +00:00

Owner

Copy link

yes 100% i want to do this

did you know there's backwards compat for passwords like 3 hashing schemes back? (https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/plugs/authentication_plug.ex#L41)

there shouldn't be :aaaa:

yes 100% i want to do this did you know there's backwards compat for passwords like 3 hashing schemes back? (https://akkoma.dev/AkkomaGang/akkoma/src/branch/develop/lib/pleroma/web/plugs/authentication_plug.ex#L41) there shouldn't be :aaaa:

floatingghost added the

planned

label 2022-12-29 17:43:47 +00:00

floatingghost commented 2022-12-30 02:47:45 +00:00

Owner

Copy link

implemented via 9be6caf125

implemented via 9be6caf125f93ce8547a5f808681253131c32148

floatingghost closed this issue 2022-12-30 02:47:45 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

keys-extraction

translations

domain-mute-backend-processing

customizable-docker-db

stable

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#403

No description provided.