Support for PBKDF2 with Whirlpool Hash Function for User Imports

[dustin-heckmann]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [x] I have joined the Ory Community Slack.
• [x] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Our current user management system employs PBKDF2 with Whirlpool for password hashing. As we are planning to migrate to ORY Kratos for our identity management needs, we've encountered a limitation: Kratos does not currently support the Whirlpool hash function, only various SHA functions. This discrepancy prevents us from importing our existing user passwords directly into Kratos without compromising our security standards or forcing our users to reset their passwords.

Describe your ideal solution

We would like Kratos to include support for the Whirlpool hash function in conjunction with PBKDF2 for password hashing. This addition would enable us to import our user data seamlessly, maintaining our current level of security and ensuring a smooth transition for our users.

Workarounds or alternatives

In a "lazy migration", where we migrate users when they log in, we would have their clear passwords and could send them to Kratos. However, this wouldn't work for users that don't log in within the migration period. We will definitely need a bulk migration for the remaining users. Those users we would have to ask to assign a new password.

Version

1.0.0

Additional Context

It's worth noting that other identity management platforms, such as Auth0, support a wider range of hash functions, including Whirlpool.