Replies: 1 comment 3 replies
-
|
That's a good point, however difficult to implement. If it becomes a real issue for you please do open up a feature request :) If it's just theoretical we will need to keep it on the long list of things to do at some point :) |
Beta Was this translation helpful? Give feedback.
-
|
I think it shouldn't be that difficult. If I understand correctly, bcrypt, argon, and pbkdf encode their parameters in the hash value, so we can extract this information and compare against current parameters. |
Beta Was this translation helpful? Give feedback.
-
|
too late maybe, but decoding hash is not that simple task |
Beta Was this translation helpful? Give feedback.
-
|
If by "decoding a hash" you mean recovering the original password, then that's not necessary here. Kratos already has a mechanism to automatically migrate hashes. When you log in, you provide your password. If the password is positively verified against the hash stored in the DB, and we see that the hash is using an older hashing algorithm, we can generate a new hash and store it. Kratos already does it. My point is that it only works when changing between hash types (e.g. migrating bcrypt to argon2). If the algorithm is the same, but only its parameters have changed (e.g. the number of iterations in argon2), Kratos won't "upgrade" the hash. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I see that Kratos will migrate hashed password between different hashing algorithms (https://github.com/ory/kratos/blob/master/selfservice/strategy/password/login.go#L81), but it seems it won't update the hash if e.g. Argon2 parameters are changed. Let's say I increase Argon2 parameters, because previous ones were too weak. Or maybe I decrease them, because I keep running out of memory/CPU. Shouldn't we also migrate hashes in that situation?
Beta Was this translation helpful? Give feedback.
All reactions