Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function to strengthen passwords #22

Open
Vlix opened this issue May 24, 2020 · 2 comments
Open

Function to strengthen passwords #22

Vlix opened this issue May 24, 2020 · 2 comments
Labels
enhancement New feature or request

Comments

@Vlix
Copy link
Collaborator

Vlix commented May 24, 2020
edited
Loading

A nice additional functionality might be a way to create new hashes after validating a password.

This would be a modified version of checkPassword that returns a new hash that has new parameters. (Using Argon2 as a concrete example, the idea would be implemented for all algorithms)

Data.Argon2.checkPasswordRenew
    :: Argon2Params
    -> Password
    -> PasswordHash Argon2
    -> Maybe (PasswordHash Argon2)
checkPasswordRenew currentParams pw pwh mNewPw

This would have some way of indicating that the check was successful or not, and if successful it would return the new hash that can be used to overwrite the previously stored hash.

Not quite sure if we'd want to limit it to strengthening passwords, with an opt-in to be able to make passwords weaker; or just to put the responsibility on the user, since there are legitimate reasons to decrease the hashing cost programmatically.
@Vlix
Copy link
Collaborator Author

Vlix commented May 24, 2020
edited
Loading

Of course the parameters should be compared to the current hash and there should be some way to indicate the password was correct, but also that the hash might not need to be updated (i.e. because the current hash already matches the parameters given)

@Vlix Vlix added the enhancement New feature or request label May 24, 2020
@Vlix
Copy link
Collaborator Author

Vlix commented Dec 28, 2020

I've been thinking about this for a while now, and some points that came up were:

  • PBKDF2 and bcrypt are easily "strengthened", but scrypt and Argon2 are a bit ambiguous when determining if one set of parameters are "stronger" than another.
  • We could either add functions that just return a new hash with the given parameters if the given hash was different, basically leaving the usage to the user (maybe returning the original parameters of the given hash so the user can decide what to do)
  • This would result in double hashing of a password before returning the function, which increases the time end-users would have to wait for a confirmation of their password being correct or not. Maybe we can include a way to have the rehashing ("strengthening") of the hash happen in another thread? Like have the user give a callback that (if a new hash is made, this will be handled in a different thread)?

@Vlix Vlix mentioned this issue Jan 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Vlix