On 2021-06-25 13:42, John Rouillard wrote:
> Making hashing configurable doesn't require passlib. In general we
> chose the highest security implementation. Starting from plaintext,
> crypt, md5, sha, ssha, and pbkdf2 were used for hashing passwords used
> internally. Upgrading occurred automatically as people logged in (if
> enabled).
> 
> I think argon2 is preferred over scrypt. So the existing mechanism for
> choosing a hash function can be extended to cover these cases. Do you
> think it's necessary to allow the admin to explicitly choose between
> scrypt and argon2?

Indeed for me it is more about relying on external library.
So you could have conservative defaults but user may use stronger
algorithm if they want and when they want.

> We will never use 99% of passlib so I can't see making it a
> requirement.

I guess this is because the internal mechanism to choose and update is
already implemented.

> However if passlib is installed we should use its argon2
> implementation.

I do not think you should use passlib just to retrieve one hash
algorithm. Indeed you could directly use the passlib dependency argon2.