Drop iteration-based, hashed SHA512 passwords in favor of Argon2, bcrypt or PBKDF2
CrsiX opened this issue · comments
Currently, passwords are hashed with SHA512, then salted and hashed x
times before being stored in the database, where x
is a custom parameter (defaults to 2^20 iterations, but is set to 1 for unittests).
It's recommended to use something more recent and probably more secure like bcrypt, Argon2 or PBKDF2 to hash and store the passwords in the database, instead of just plain SHA512 (even though the number of iterations make it harder to brute-force).
This will be an incompatible change, forcing all applications to re-signup! This change will also have to delete all applications during the migration. Therefore, backward compatibility is broken.