Open MichaIng opened 2 years ago
SHA1 is ancient and simple to brute-force. We should switch to something modern, like pbkdf2_hmac, available without 3rd party libraries: https://nitratine.net/blog/post/how-to-hash-passwords-in-python/
But to not lock out users, we must keep SHA1 as fallback, e.g. we can derive the algorithm of the stores hash to derive whether it's still SHA1 and in case on login prompt the user to re-set it so that it is stores with new algorithm.
+1
SHA1 is ancient and simple to brute-force. We should switch to something modern, like pbkdf2_hmac, available without 3rd party libraries: https://nitratine.net/blog/post/how-to-hash-passwords-in-python/
But to not lock out users, we must keep SHA1 as fallback, e.g. we can derive the algorithm of the stores hash to derive whether it's still SHA1 and in case on login prompt the user to re-set it so that it is stores with new algorithm.