FoundKeyGang/FoundKey
FoundKeyGang/FoundKey
7
19
Fork 22
Code Issues 37 Pull requests 4 Releases Activity

Improve password hashing algorithm being used #302

New issue
Closed
opened 2022-12-25 20:28:51 +00:00 by norm · 2 comments
norm commented 2022-12-25 20:28:51 +00:00
Owner
Copy link

Currently FoundKey uses bcrypt with the input cost set to 8 (as seen here).

Bcrypt is however not designed to be resistant to GPU and ASIC password crackers. Moreover, it also has limitations like truncating the input to 72 bytes.

We could possibly move to something more modern like Argon2i or Argon2id, though we do have to make sure existing bcrypt password hashes can still work at least for now.

Currently FoundKey uses bcrypt with the input cost set to 8 (as seen [here](https://akkoma.dev/FoundKeyGang/FoundKey/src/commit/114d416de0b5b5f3635503a44ed9e4454102b7f7/packages/backend/src/misc/password.ts)). Bcrypt is however not designed to be resistant to GPU and ASIC password crackers. Moreover, it also has limitations like truncating the input to 72 bytes. We could possibly move to something more modern like Argon2i or Argon2id, though we do have to make sure existing bcrypt password hashes can still work at least for now.
norm added the
feature
 label 2022-12-26 15:58:04 +00:00
toast commented 2022-12-28 17:17:37 +00:00
Owner
Copy link

Implemented in #308 - which implements Argon2id, still allows logins with bcrypt passwords, and automatically rehashes on sign-in (though not other password-verification cases).

Implemented in #308 - which implements Argon2id, still allows logins with bcrypt passwords, and automatically rehashes on sign-in (though not other password-verification cases).
👍 1
Johann150 added a new dependency 2022-12-28 20:41:38 +00:00
#308 argon2 support
norm commented 2022-12-29 20:57:35 +00:00
Author
Owner
Copy link

Implemented in ed9d4023d4, thanks @toast!

Implemented in ed9d4023d41bba7c4ac53a1a3422246feed37de2, thanks @toast!
norm closed this issue 2022-12-29 20:57:35 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
refactor-deliver-actor
markdown
move-autoblock
feature/requests
context
indicator-circle-v2
v13.0.0-preview6
v13.0.0-preview5.1
v13.0.0-preview5
v13.0.0-preview4
v13.0.0-preview3
v13.0.0-preview2
v13.0.0-preview1
Labels
Clear labels   
feature

task that proposes new feature(s)

  
fix

task to fix behavioral problems in the FoundKey codebase

  
upkeep

task that should make FoundKey smaller and more maintainable

No labels
feature
fix
upkeep
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on
#308 argon2 support
FoundKeyGang/FoundKey
Reference: FoundKeyGang/FoundKey#302
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?