Use a better password hashing algorithm
Closed this issue · 1 comments
Using standard hasing algorithms from digest for passwords is not secure (anymore). You are vulnerable to a number of attacks, in particular to brute-force attacks.
I would suggest using a dedicated password hashing algorithm like scrypt, bcrypt, argon2 etc. More on this here: https://download.libsodium.org/doc/password_hashing/
The function deriving a key from a password and a salt is CPU intensive and
intentionally requires a fair amount of memory. Therefore, it mitigates
brute-force attacks by requiring a significant effort to verify each password.
The sodium package implements something very nice:
sodium::password_store(password = "wat")
#> [1] "$7$C6..../....HHM5gAOk/6vdFKYFjG0a6MXPtKkljccJax.tfl5mJL4$5m0cYitpFUdswBbOEL51Jd8L5AtodOOu0FonRzn0UlA"
sodium::password_verify(sodium::password_store(password = "wat"), "wat")
#> [1] TRUEHi Dirk,
Thanks for your advice. I've been meaning to do this for a while but haven't found the time yet. I was planning to use the bcrypt package but sodium looks great also. Would you recommend this over bcrypt?