Password hashes will be computed using a cryptographic hash function. The ideal hash function is slow and adjustable in terms of its computation time and memory usage. The argon2 family of algorithms is the recommendation of the Password Hashing Competition Panel. However, it is not part of the Python standard library and may require additional system dependencies. It also may be so slow that it hurts the user experience while logging in.
We should aim for the hash to be computable within one second on the weakest hardware on which Phoenix might run (e.g., the cheapest EC2 instance). Ultimately, any of bcrypt, scrypt, and argon2 will be acceptable for our purposes, and all are currently supported in Django.
axiomofjoy
commented
2 months ago
Password hashes will be computed using a cryptographic hash function. The ideal hash function is slow and adjustable in terms of its computation time and memory usage. The argon2 family of algorithms is the recommendation of the Password Hashing Competition Panel. However, it is not part of the Python standard library and may require additional system dependencies. It also may be so slow that it hurts the user experience while logging in.
We should aim for the hash to be computable within one second on the weakest hardware on which Phoenix might run (e.g., the cheapest EC2 instance). Ultimately, any of bcrypt, scrypt, and argon2 will be acceptable for our purposes, and all are currently supported in Django.