Time marches on and pbkdf2 isn't as resilient against GPU processors.
Increasing the rounds will help but consider adding scrypt if the
module (https://pypi.org/project/scrypt/) is available.

At this time scrypt supports python 2.7 and 3.6+.

Consider argon2 as well https://pypi.org/project/argon2-cffi/. Simiar 
language support to scrypt.

ref:
https://medium.com/analytics-vidhya/password-hashing-pbkdf2-scrypt-
bcrypt-and-argon2-e25aaf41598e
https://stackoverflow.com/questions/4433216/password-hashing-pbkdf2-
using-sha512-x-1000-vs-bcrypt

Maybe it make sense to use passlib [1] and make the hashing configurable.

[1] https://pypi.org/project/passlib/

Hi Cedric:

In message
<1624606499.54.0.504109235365.issue2551145@roundup.psfhosted.org>,
=?utf-8?q?C=C3=A9dric_Krier?= writes:
>Maybe it make sense to use passlib [1] and make the hashing configurable.
>
>[1] https://pypi.org/project/passlib/

Nice find.

Making hashing configurable doesn't require passlib. In general we
chose the highest security implementation. Starting from plaintext,
crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
internally. Upgrading occurred automatically as people logged in (if
enabled).

I think argon2 is preferred over scrypt. So the existing mechanism for
choosing a hash function can be extended to cover these cases. Do you
think it's necessary to allow the admin to explicitly choose between
scrypt and argon2?

We will never use 99% of passlib so I can't see making it a
requirement. However if passlib is installed we should use its argon2
implementation.

Thoughts?

				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

On 2021-06-25 13:42, John Rouillard wrote:
> Making hashing configurable doesn't require passlib. In general we
> chose the highest security implementation. Starting from plaintext,
> crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
> internally. Upgrading occurred automatically as people logged in (if
> enabled).
> 
> I think argon2 is preferred over scrypt. So the existing mechanism for
> choosing a hash function can be extended to cover these cases. Do you
> think it's necessary to allow the admin to explicitly choose between
> scrypt and argon2?

Indeed for me it is more about relying on external library.
So you could have conservative defaults but user may use stronger
algorithm if they want and when they want.

> We will never use 99% of passlib so I can't see making it a
> requirement.

I guess this is because the internal mechanism to choose and update is
already implemented.

> However if passlib is installed we should use its argon2
> implementation.

I do not think you should use passlib just to retrieve one hash
algorithm. Indeed you could directly use the passlib dependency argon2.

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Provides some notes on upgrading older hashes. It points out that automatic hash
upgrade can leave the account vulnerable if the old hashes get cracked. They suggest
a password reset when rehashing/upgrade.

Also what to do about accounts where users have not logged in. They suggest obsolete the
passwords and require a password reset.

Also scrypt is part of hashlib as of python 3.6. So maybe we could support scrypt from
hashlib if available. I doubt anybody would want to go from python 3.6 to 2.7
(without built-in scrypt). The owasp linked above has minimum settings for for scrypt.
But we should plan on allowing these to be stored with the passwords and changed.