Better password security

bhark / Konsent

A platform designed to help groups make decisions without hierarchy and representatives, built on anarchist values.

GNU General Public License v3.0

24 stars 4 forks source link

Better password security #26

Closed iodbh closed 6 years ago

iodbh commented 6 years ago

Password security as it is is not suitable for production use :

We are using sha256, which is too fast for password hashing (see this)
The hashes are unsalted, which make cracking a breeze

I would recommend switching back to passlib, which implements recommended algorithms and conveniently wraps hashing.

ghost commented 6 years ago

I think we should use the werkzeug module that comes with Flask, utils have some usefull functions. passlib doesn't seem to be maintained anymore.

bhark commented 6 years ago

There's also bcrypt, which looks like a solid choice. Allows us to dictate slowness and salt easily. It seems like it's being worked on still. On GitHub here.

bhark commented 6 years ago

I finally got a new laptop, so if you're both alright with using bcrypt, I'll implement it instead of hashlib.

@iodbh @surrealbytes

bhark commented 6 years ago

We're now using bcrypt.