[FEATURE] Add rehash guide / feature for changing to a new algorithm

Question

[FEATURE] Add rehash guide / feature for changing to a new algorithm

rhbvkleef opened this issue 6 years ago · 7 comments

Problem

I found myself copying over a simple layer on top of comeonin to each of my projects. That layer handles functions like needs_rehash and branching out to all different hashing implementations. You can find a link to the gist in .Solution.

Solution

See this gist for a concept implementation. You'll also find a Comeonin.Plain mdoule there, you may disregard it.

I implemented very simple (and probably incomplete) get_hash_mod/1 and needs_rehash/1 functions. It's also not very pluggable. In the case of needs_rehash/1, opts may need to be checked. Probably in each separate hashing module.

Additional info

It might be useful to use something like this to implement your own proper dispatch module if you are going to go down the road of issue #130.

You'd have each hashing module implement functions like my_hash hash to check of this module can produce or verify that hash, and a function like needs_rehash hash, opts to check whether the provided hash's settings are the same as the provided settings (from opts or Application.get_env).

Answer 1 · 2019-01-04T04:39:08.000Z

I will have a closer look at this over the next week and get back to you as soon as I can.

Answer 2 · 2019-01-04T07:46:45.000Z

One question: when do you think you will use needs_rehash? I can understand that you would need something like that when upgrading to a new algorithm - going from Bcrypt to Argon2, for example, but are there any other situations where you would need it?

Answer 3 · 2019-01-29T21:25:04.000Z

No, not really, I think.

Answer 4 · 2019-02-11T09:38:10.000Z

My plan at the moment is to add this functionality as something separate from the main library, or to just add documentation how to best handle rehashing.

Answer 5 · 2020-06-28T08:41:49.000Z

Hey is there any update on this? I've found myself wanting to change from Bcrypt to Pbkdf2 in some of my projects. Cheers

Answer 6 · 2020-07-06T11:18:13.000Z

For reference's sake, here are a few links on how to change the hashing algorithm:

https://stackoverflow.com/questions/1533744/how-to-upgrade-a-password-storage-scheme-change-hashing-algorithm
https://stackoverflow.com/questions/14399750/moving-old-passwords-to-new-hashing-algorithm
https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016#legacy-hashes
https://www.michalspacek.com/upgrading-existing-password-hashes

I will write a guide tomorrow on the 'rehashing a password after a successful login' method and add it to the wiki.

Answer 7 · 2020-07-07T03:18:13.000Z

The wiki guide is here.

If you have any questions, or anything is unclear, please let me know.