New Features¶ ↑
-
An argon2 feature has been added that supports using the argon2 password hashing algorithm instead of the bcrypt password hashing algorithm. While argon2 does not provide an advantage over bcrypt if the attacker cannot access the password hashes directly (which is how
Rodauth
is recommended to be used), in cases where attackers can access the password hashes directly, argon2 is thought to be more difficult or expensive to crack due to requiring more memory (bcrypt is not a memory-hard password hash algorithm).If you are using this feature with Rodauth’s database authentication functions, you need to make sure that the database authentication functions are configured to support argon2 in addition to bcrypt. You can do this by passing the :argon2 option when calling the method to define the database functions. In this example, DB should be your Sequel::Database object (this could be self if used in a Sequel migration):
require 'rodauth/migrations' # If the functions are already defined and you are not using PostgreSQL, # you need to drop the existing functions. Rodauth.drop_database_authentication_functions(DB) # If you are using the disallow_password_reuse feature, also drop the # database functions related to that if you are not using PostgreSQL: Rodauth.drop_database_previous_password_check_functions(DB) # Define new functions that support argon2: Rodauth.create_database_authentication_functions(DB, argon2: true) # If you are using the disallow_password_reuse feature, also define # new functions that support argon2 for that: Rodauth.create_database_previous_password_check_functions(DB, argon2: true)
You can transparently migrate bcrypt password hashes to argon2 password hashes whenever a user successfully uses their password by using the argon2 feature in combination with the update_password_hash feature.
Other Improvements¶ ↑
-
Unnecessary queries to determine whether the new password matches a previous password are now skipped when using the create_account or verify_account features with the disallow_password_reuse feature.