Content
View differences
Updated by Oliver Günther over 10 years ago
**As a** user invested in security
**I would like** to have OpenProject rely on a modern password derivation function
**so that** I feel comfortable storing my passwords there.
I suggest to use [scrypt](http://www.tarsnap.com/scrypt/scrypt.pdf) instead of bcrypt, [but it really does not matter much](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016).
The most recent password hashing competition winner is [Argon 2](https://password-hashing.net/), but we should wait a while before moving to it despite its improvements over (s|b)crypt.
I’ve preferred the scrypt gem due to its simple C binding and pleasing syntax. An alternative would have been `rbnacl-libsodium` but I had difficulties compiling the native extension on first try.
**I would like** to have OpenProject rely on a modern password derivation function
**so that** I feel comfortable storing my passwords there.
I suggest to use [scrypt](http://www.tarsnap.com/scrypt/scrypt.pdf) instead of bcrypt, [but it really does not matter much](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016).
The most recent password hashing competition winner is [Argon 2](https://password-hashing.net/), but we should wait a while before moving to it despite its improvements over (s|b)crypt.
I’ve preferred the scrypt gem due to its simple C binding and pleasing syntax. An alternative would have been `rbnacl-libsodium` but I had difficulties compiling the native extension on first try.