[openstreetmap/openstreetmap-website] Switch to Argon2 for password hashing (PR #3353)
Tom Hughes
notifications at github.com
Wed Oct 27 21:43:28 UTC 2021
It's been five years since we last updated our password hashing and things have moved on - the [current OWASP recommendation](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html) is to use Argon2.
Argon2 takes care of recording the salt and hash parameters as part of the password so the separate salt is no longer needed except for legacy passwords.
We're using the default parameters (64Mb memory, 2 iterations, degree of parallelism) which exceeds the OWASP recommended values and upgrading will be automatic as the defaults change over time.
There is also support for an optional "pepper" which means that a leak of hashed passwords would be useless without the pepper (a shared secret included in the hashes) which is not present in the database or on the database servers.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/openstreetmap-website/pull/3353
-- Commit Summary --
* <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3353/commits/76e4345f86d8c406df739a1322616a803c5ad812">Switch to Argon2 for password hashing</a>
-- File Changes --
M Gemfile (3)
M Gemfile.lock (7)
M config/settings.yml (2)
M lib/password_hash.rb (52)
M test/lib/password_hash_test.rb (17)
-- Patch Links --
https://github.com/openstreetmap/openstreetmap-website/pull/3353.patch
https://github.com/openstreetmap/openstreetmap-website/pull/3353.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3353
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20211027/1dd78c42/attachment.htm>
More information about the rails-dev
mailing list