Open mbaeuerle opened 4 years ago
Sounds interesting. The main problem I (currently) see is that the Credentials API only defines an operation for retrieving credentials but not for upgrading/updating. However, such an operation could be added (again) ...
Description: Currently there are three supported password hashing algorithms for device credentials in Hono:
Since some time ago user provided hashed passwords are deprecated and Bcrypt is the default hashing algorithm in Hono for plain text passwords. This leads to the demand to
Also as hardware becomes more powerful over time, the work load to hash a password should be increased gradually. So FMPOV it makes also sense to discuss
Approach: Re-encrypt the password with the new hashing algorithm when devices connect to Hono adapters, as this is the only time when the clear text password is known. In the same way the Bcrypt work factor can be upgraded. As the work factor is stored in the Bcrypt hash, there should be no issue in supporting multiple work factors at the same time.
Further information: OWASP upgrading legacy hashes: Describes another approach of re-encrypting legacy passwords by hashing the existing hash.