---
**[tickets:#8566] support newer pwd hashs, remove deprecated 'crypt'**
**Status:** in-progress
**Milestone:** unreleased
**Created:** Tue Jul 02, 2024 07:42 PM UTC by Dave Brondsema
**Last Updated:** Tue Jul 02, 2024 07:42 PM UTC
**Owner:** Dave Brondsema
our LDAP plugin's password handling uses `crypt` which is deprecated since 3.11
and removed in 3.13 https://docs.python.org/3/library/crypt.html
crypt only supports a few algorithms anyway, it'd be good to support argon2,
scrypt, bcrypt, pbkdf2_sha512
local password storage does sha256 and definitely should be updated.
Similar/same config options for local & ldap hashing?
https://passlib.readthedocs.io/en/stable/ seems pretty good and supports a lot
of algorithms, but it isn't maintained the best :(
If an admin configures a new password hashing algorithm, we should make it be a
seamless transition, including when someone logs in to re-hash the password,
when needed.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
