<p>It's been five years since we last updated our password hashing and things have moved on - the <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" rel="nofollow">current OWASP recommendation</a> is to use Argon2.</p>
<p>Argon2 takes care of recording the salt and hash parameters as part of the password so the separate salt is no longer needed except for legacy passwords.</p>
<p>We're using the default parameters (64Mb memory, 2 iterations, degree of parallelism) which exceeds the OWASP recommended values and upgrading will be automatic as the defaults change over time.</p>
<p>There is also support for an optional "pepper" which means that a leak of hashed passwords would be useless without the pepper (a shared secret included in the hashes) which is not present in the database or on the database servers.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/openstreetmap/openstreetmap-website/pull/3353'>https://github.com/openstreetmap/openstreetmap-website/pull/3353</a></p>

<h4>Commit Summary</h4>
<ul>
  <li><a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/commits/76e4345f86d8c406df739a1322616a803c5ad812">Switch to Argon2 for password hashing</a></li>
</ul>

<h4 style="display: inline-block">File Changes </h4> <p style="display: inline-block">(<a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files">5 files</a>)</p>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files#diff-d09ea66f8227784ff4393d88a19836f321c915ae10031d16c93d67e6283ab55f">Gemfile</a>
    (3)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files#diff-89cade48462044ee1b672dc5f4c3ec250fbd29effcd8932096a23c1283c6731f">Gemfile.lock</a>
    (7)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files#diff-e769bbb8c1ba3711c5403b424ed9c218ffafba7f1890ee394717196f28ff4540">config/settings.yml</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files#diff-ebb0abe8fb52772c9373ccf7f08aee8136860410a79cefd8f4ff89c1eecf2d8b">lib/password_hash.rb</a>
    (52)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/files#diff-6306faf3aa0909f41b3b21e2839aaed97fce59b518f529e804ff43f18f568f26">test/lib/password_hash_test.rb</a>
    (17)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/3353.patch'>https://github.com/openstreetmap/openstreetmap-website/pull/3353.patch</a></li>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/3353.diff'>https://github.com/openstreetmap/openstreetmap-website/pull/3353.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLKIJOOGMSSRFLJN5FTUJB6BBANCNFSM5G3LTBKA">unsubscribe</a>.<br />Triage notifications on the go with GitHub Mobile for <a href="https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675">iOS</a> or <a href="https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub">Android</a>.
<img src="https://github.com/notifications/beacon/AAK2OLK7QSVM7VSTTJOC2TDUJB6BBA5CNFSM5G3LTBKKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4PO442RQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/3353",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/3353",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>