Deprecate BCrypt in favor of Argon2 - Githubissues

TeskaLabs / seacat-auth

SeaCat Auth provides authentication, authorization, identity management, session management and other access control features.

GNU General Public License v3.0

11 stars 6 forks source link

Deprecate BCrypt in favor of Argon2 #340

Closed byewokko closed 2 months ago

byewokko commented 5 months ago

Is your feature request related to a problem? Please describe. According to the latest NÚKIB recommendations (https://nukib.gov.cz/cs/infoservis/doporuceni/1988-doporuceni-v-oblasti-kryptografickych-prostredku-verze-3-0/), BCrypt is no longer considered safe enough for password storage.

Describe the solution you'd like

Argon2 (https://passlib.readthedocs.io/en/stable/lib/passlib.hash.argon2.html?highlight=argon2) should be the new default algorithm for password storage. All new passwords must be hashed using Argon2.
BCrypt still has to be supported for existing passwords.