-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bcrypt for password storage #46
Comments
It's done in the next major version, with guidance of users to update their password. |
Brilliant! |
I guess we can close this then, but unfortunately the next major version link isn't working for me. |
But finishing the next version will take time... so if someone can meanwhile improve security of current version exposed... |
Yes, please. |
It might make sense to shift to the standard password hashing library bcrypt instead of using a custom salt. Cracking bcrypted passwords takes considerably more computing power than SHA1 does, which will slow down any attacker that gets control of the database.
That said, using an upstream IDP might be even better.
The text was updated successfully, but these errors were encountered: