Arize-ai / phoenix

AI Observability & Evaluation
https://docs.arize.com/phoenix
Other
3.85k stars 286 forks source link

[auth] [server] investigate cryptographic hash functions for basic auth flow #4021

Closed axiomofjoy closed 2 months ago

axiomofjoy commented 3 months ago

Password hashes will be computed using a cryptographic hash function. The ideal hash function is slow and adjustable in terms of its computation time and memory usage. The argon2 family of algorithms is the recommendation of the Password Hashing Competition Panel. However, it is not part of the Python standard library and may require additional system dependencies. It also may be so slow that it hurts the user experience while logging in.

We should aim for the hash to be computable within one second on the weakest hardware on which Phoenix might run (e.g., the cheapest EC2 instance). Ultimately, any of bcrypt, scrypt, and argon2 will be acceptable for our purposes, and all are currently supported in Django.

axiomofjoy commented 2 months ago

Duplicate of #4193