Message7292
Hi Cedric:
In message
<1624606499.54.0.504109235365.issue2551145@roundup.psfhosted.org>,
=?utf-8?q?C=C3=A9dric_Krier?= writes:
>Maybe it make sense to use passlib [1] and make the hashing configurable.
>
>[1] https://pypi.org/project/passlib/
Nice find.
Making hashing configurable doesn't require passlib. In general we
chose the highest security implementation. Starting from plaintext,
crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
internally. Upgrading occurred automatically as people logged in (if
enabled).
I think argon2 is preferred over scrypt. So the existing mechanism for
choosing a hash function can be extended to cover these cases. Do you
think it's necessary to allow the admin to explicitly choose between
scrypt and argon2?
We will never use 99% of passlib so I can't see making it a
requirement. However if passlib is installed we should use its argon2
implementation.
Thoughts?
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions. |
|
Date |
User |
Action |
Args |
2021-06-25 13:42:08 | rouilj | set | recipients:
+ rouilj, ced |
2021-06-25 13:42:08 | rouilj | link | issue2551145 messages |
2021-06-25 13:42:08 | rouilj | create | |
|