[FEATURE] Add rehash guide / feature for changing to a new algorithm

Question

[FEATURE] Add rehash guide / feature for changing to a new algorithm

rhbvkleef opened this issue 6 years ago · comments

Problem

I found myself copying over a simple layer on top of comeonin to each of my projects. That layer handles functions like needs_rehash and branching out to all different hashing implementations. You can find a link to the gist in .Solution.

Solution

See this gist for a concept implementation. You'll also find a Comeonin.Plain mdoule there, you may disregard it.

I implemented very simple (and probably incomplete) get_hash_mod/1 and needs_rehash/1 functions. It's also not very pluggable. In the case of needs_rehash/1, opts may need to be checked. Probably in each separate hashing module.

Additional info

It might be useful to use something like this to implement your own proper dispatch module if you are going to go down the road of issue #130.

You'd have each hashing module implement functions like my_hash hash to check of this module can produce or verify that hash, and a function like needs_rehash hash, opts to check whether the provided hash's settings are the same as the provided settings (from opts or Application.get_env).

David Whitlock · Answer 1 · Fri Jan 04 2019 12:39:08 GMT+0800 (China Standard Time)

I will have a closer look at this over the next week and get back to you as soon as I can.

David Whitlock · Answer 2 · Fri Jan 04 2019 15:46:45 GMT+0800 (China Standard Time)

One question: when do you think you will use needs_rehash? I can understand that you would need something like that when upgrading to a new algorithm - going from Bcrypt to Argon2, for example, but are there any other situations where you would need it?

Rolf van Kleef · Answer 3 · Wed Jan 30 2019 05:25:04 GMT+0800 (China Standard Time)

No, not really, I think.

David Whitlock · Answer 4 · Mon Feb 11 2019 17:38:10 GMT+0800 (China Standard Time)

My plan at the moment is to add this functionality as something separate from the main library, or to just add documentation how to best handle rehashing.

Jaden · Answer 5 · Sun Jun 28 2020 16:41:49 GMT+0800 (China Standard Time)

Hey is there any update on this? I've found myself wanting to change from Bcrypt to Pbkdf2 in some of my projects. Cheers

David Whitlock · Answer 6 · Mon Jul 06 2020 19:18:13 GMT+0800 (China Standard Time)

For reference's sake, here are a few links on how to change the hashing algorithm:

https://stackoverflow.com/questions/1533744/how-to-upgrade-a-password-storage-scheme-change-hashing-algorithm
https://stackoverflow.com/questions/14399750/moving-old-passwords-to-new-hashing-algorithm
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#legacy-hashes
https://www.michalspacek.com/upgrading-existing-password-hashes

I will write a guide tomorrow on the 'rehashing a password after a successful login' method and add it to the wiki.

David Whitlock · Answer 7 · Tue Jul 07 2020 11:18:13 GMT+0800 (China Standard Time)

The wiki guide is here.

If you have any questions, or anything is unclear, please let me know.