Bcrypt for password storage

[MarkJaroski]

It might make sense to shift to the standard password hashing library bcrypt instead of using a custom salt. Cracking bcrypted passwords takes considerably more computing power than SHA1 does, which will slow down any attacker that gets control of the database.

That said, using an upstream IDP might be even better.

[agilare]

It's done in the next major version, with guidance of users to update their password.
We could already to that in this version; changing the method of crypt is simple but we'll have also to add a page for users asking them to update their password, and this new password will be saved using bcrypt.

[MarkJaroski]

Brilliant!

[MarkJaroski]

I guess we can close this then, but unfortunately the next major version link isn't working for me.

[agilare]

But finishing the next version will take time... so if someone can meanwhile improve security of current version exposed...
The repo of the next version is private, I can add you if you're intersted to contribute to it.

[MarkJaroski]

Yes, please.