We once had specific password storage requirements. While those were removed, I believe including guidance on using a strong, modern password hashing algorithm like Argon2id would be very beneficial to developers.

Argon2id is a widely recommended choice due to its dynamic configuration capability and projected longevity. It would encourage developers to adopt a best-in-class approach for password security.

Therefore, I propose adding a requirement similar to this:

[MODIFIED, MERGED FROM 2.4.3, 2.4.4] Verify that user passwords are stored using an approved password hashing algorithm, such as Argon2id, that is securely configured according to current guidance.

This aligns well with the high-level goals of ASVS 2.4.1 while offering more specific guidance for developers.

I also like @elarlang suggestion from #1812 (comment) if that is still valid.

I also like @elarlang suggestion from #1812 (comment) if that is still valid.

It is not valid anymore, as discussed and decided here #1923 (comment) and commited here 76268ea

Yeah we had a lot of back and forth on this and the current position is how we decided.

Argon2id is mentioned in the very first bullet of the password storage cheatsheet tl;dr which is what we refer to.

If you don't mind, I will close this as a done deal for now.