eclipse-hono
Add support for updating password hashing algorithm for client credentials
Description: Currently there are three supported password hashing algorithms for device credentials in Hono:
- SHA-256
- SHA-512
- Bcrypt (default)
Since some time ago user provided hashed passwords are deprecated and Bcrypt is the default hashing algorithm in Hono for plain text passwords. This leads to the demand to
- upgrade SHA based hashed passwords to the Bcrypt algorithm.
Also as hardware becomes more powerful over time, the work load to hash a password should be increased gradually. So FMPOV it makes also sense to discuss
- upgrading the work factor of Bcrypt based hashes by the same mechanism.
Approach: Re-encrypt the password with the new hashing algorithm when devices connect to Hono adapters, as this is the only time when the clear text password is known. In the same way the Bcrypt work factor can be upgraded. As the work factor is stored in the Bcrypt hash, there should be no issue in supporting multiple work factors at the same time.
Further information: OWASP upgrading legacy hashes: Describes another approach of re-encrypting legacy passwords by hashing the existing hash.
Sounds interesting. The main problem I (currently) see is that the Credentials API only defines an operation for retrieving credentials but not for upgrading/updating. However, such an operation could be added (again) ...
