appwrite icon indicating copy to clipboard operation
appwrite copied to clipboard

Published 20 hours ago verified publisher icon appwrite

Password Hashing algos

Open Meldiron opened this issue 3 years ago • 1 comments

What does this PR do?

Appwrite uses bcrypt encryption. This PR adds support for more algorithms. This PR will make it possible to use multiple algorithms under the hood, making user migration into Appwrite way more accessible.

Hashing algo switched to Argon2. Looks to be more secure than BCrypt, so let's be the safest baas 😎 Thanks to this PR, projects using old algo will still work.

Test Plan

All current tests should pass. New tests implemented.

Related PRs and Issues

  • https://github.com/appwrite/appwrite/issues/2709
  • https://github.com/appwrite/appwrite/issues/2710

Have you read the Contributing Guidelines on issues?

Meldiron avatar Feb 04 '22 15:02 Meldiron

I have done research about hashing to full understand the problem.

BCrypt

  • Cost. Appwrite uses 8, others seems to use 10
  • Version (A or B, X, Y), B used widely
  • Salt can be provided, instead of random generation

MD5

  • No configuration. Not secure, should not be allowed for registration (only for import)

SCrypt

  • Complex as hell, more research needed

SCrypt (Google fork)

  • Complex as hell, most likely also more secure

Argon2

  • Seems to be the simple one, and the secure one

PHPass

  • Used by many established PHP projects

SHA

  • Like MD5 - not good (for passwords), but some projects still use it. Has many versions

Meldiron avatar May 01 '22 10:05 Meldiron