From 4e1a66e8796142e0dd9ce34b6c9815d83d4afd79 Mon Sep 17 00:00:00 2001 From: Chris Wagner Date: Tue, 28 May 2024 18:53:32 -0700 Subject: [PATCH] Change default password hash to argon2 (#982) close #980 --- CHANGES.rst | 12 +++++- README.rst | 2 +- docs/configuration.rst | 12 +++--- docs/features.rst | 21 ++++++--- docs/installation.rst | 2 +- docs/quickstart.rst | 16 +++---- docs/two_factor_configurations.rst | 3 +- flask_security/core.py | 7 ++- pyproject.toml | 2 +- tests/test_hashing.py | 68 ++++++++++++------------------ tests/test_misc.py | 4 +- 11 files changed, 75 insertions(+), 74 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 61d4f862..a0a5d5d6 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -8,15 +8,23 @@ Version 5.5.0 Released TBD -Features -++++++++ +Features & Improvements ++++++++++++++++++++++++ - (:issue:`956`) Add support for changing registered user's email (:py:data:`SECURITY_CHANGE_EMAIL`). +- (:pr:`xxx`) Change default password hash to argon2 (was bcrypt). See below for details. Fixes +++++ - (:pr:`972`) Set :py:data:`SECURITY_CSRF_COOKIE` at beginning (GET /login) of authentication ritual - just as we return the CSRF token. (thanks @e-goto) +Backwards Compatibility Concerns ++++++++++++++++++++++++++++++++++ +- Notes around the change to argon2 as the default password hash: + - applications should add the argon2_cffi package to their requirements (it is included in the flask_security[common] extras). + - leave bcrypt installed to that old passwords still work. + - the default configuration will re-hash passwords with argon2 upon first use. + Version 5.4.3 ------------- diff --git a/README.rst b/README.rst index 5d5e5dd7..da73bc30 100644 --- a/README.rst +++ b/README.rst @@ -56,7 +56,7 @@ Goals * WebAuthn support (5.0) * Two-Factor recovery codes (5.0) * First-class support for username as identity (4.1) - * Support for fresheness decorator to ensure sensitive operations have new authentication (4.0) + * Support for freshness decorator to ensure sensitive operations have new authentication (4.0) * Support for email normalization and validation (4.0) * Unified signin (username, phone, passwordless) feature (3.4) diff --git a/docs/configuration.rst b/docs/configuration.rst index ee020978..d4438bc3 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -80,10 +80,10 @@ These configuration keys are used globally across all features. .. py:data:: SECURITY_PASSWORD_HASH Specifies the password hash algorithm to use when hashing passwords. - Recommended values for production systems are ``bcrypt``, ``argon2``, ``sha512_crypt``, or + Recommended values for production systems are ``argon2``, ``bcrypt``, or ``pbkdf2_sha512``. Some algorithms require the installation of a backend package (e.g. `bcrypt`_, `argon2`_). - Default: ``"bcrypt"``. + Default: ``"argon2"``. .. py:data:: SECURITY_PASSWORD_SCHEMES @@ -134,9 +134,11 @@ These configuration keys are used globally across all features. .. py:data:: SECURITY_PASSWORD_HASH_PASSLIB_OPTIONS - Pass additional options to the various hashing methods. This is a - dict of the form ``{__