[openstreetmap/openstreetmap-website] Switch to Argon2 for password hashing (PR #3353)

Andy Allan notifications at github.com
Wed Nov 3 16:26:23 UTC 2021


I'm happy to switch algorithms. The main thing I wanted to check is how this would impact (postively or not) on migrating to use Devise to take care of these sorts of things for us.

They don't currently use argon2 for password hashing ([they use bcrypt](https://github.com/heartcombo/devise/blob/8593801130f2df94a50863b5db535c272b00efe1/lib/devise/encryptor.rb#L11), but I found that they have a [plugin system](https://github.com/heartcombo/devise-encryptable) for their password encryptors, and someone else has written a [devise-argon2](https://github.com/erdostom/devise-argon2) gem. So as far as I can tell, if/when we move to devise we could write our own custom encryptor, in order to handle all the fallbacks and whatever arguments we are passing to argon2. Although, ideally, I would let someone upstream worry about password algorithms for us.

Talking of fallbacks, I know that we support silent upgrades of old password hashes. Is there merit in limiting how far back we do this, from the perspective of code simplicity and maintainability? I don't think it would be too bad to say if you haven't logged in at some point over the last X (e.g. 10?) years then you need to reset your password.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3353#issuecomment-959642837
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20211103/4e4f7c5e/attachment.htm>


More information about the rails-dev mailing list