Roundup Tracker - Issues


Author rouilj
Recipients ced, rouilj
Date 2021-06-25.13:42:08
Message-id <>
In-reply-to <>
Hi Cedric:

In message
=?utf-8?q?C=C3=A9dric_Krier?= writes:
>Maybe it make sense to use passlib [1] and make the hashing configurable.

Nice find.

Making hashing configurable doesn't require passlib. In general we
chose the highest security implementation. Starting from plaintext,
crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
internally. Upgrading occurred automatically as people logged in (if

I think argon2 is preferred over scrypt. So the existing mechanism for
choosing a hash function can be extended to cover these cases. Do you
think it's necessary to allow the admin to explicitly choose between
scrypt and argon2?

We will never use 99% of passlib so I can't see making it a
requirement. However if passlib is installed we should use its argon2


				-- rouilj
John Rouillard
My employers don't acknowledge my existence much less my opinions.
Date User Action Args
2021-06-25 13:42:08rouiljsetrecipients: + rouilj, ced
2021-06-25 13:42:08rouiljlinkissue2551145 messages
2021-06-25 13:42:08rouiljcreate