[openstreetmap/openstreetmap-website] Switch to Argon2 for password hashing (PR #3353)
mmd
notifications at github.com
Sun Oct 31 11:37:01 UTC 2021
I would like to propose two changes for a halfway sane implementation on the CGImap side:
* Drop the support for PEPPER, as long as libargon2 doesn't provide a public API for it (see https://github.com/P-H-C/phc-winner-argon2/issues/314).
The ruby gem does a lot of magic behind the scenes and re-implements parts of the argon2 code, or directly calls into non-public parts of the code. This is not a feasible approach for CGImap.
* Use exactly one of the 3 possible algorithms (i, d, or id), to avoid parsing of argon2 hash values on CGImap side.
Again, the issue is there's no official API to parse argon2 hash values, and I want to avoid any custom code to do so.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3353#issuecomment-955683384
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20211031/e408530e/attachment.htm>
More information about the rails-dev
mailing list