Content
View differences
Updated by Oliver Günther almost 10 years ago
**As a** user invested in security
**I would like** to have OpenProject rely on a modern password derivation function
**so that** I feel comfortable storing my passwords there.
<s>I I suggest to use [scrypt](http://www.tarsnap.com/scrypt/scrypt.pdf) instead of bcrypt</s>, bcrypt, [but it really does not matter much](https://paragonie.com/blog/2016/02/how-safely-store-password-in-2016).
After recent discussions with Markus, we should strive to use BCrypt to provide compatibility with Augur (should we import those hashes into OP accounts some later time).
The most recent password hashing competition winner is [Argon 2](https://password-hashing.net/), but we should wait a while before moving to it despite its improvements over (s|b)crypt.
I’ve preferred the scrypt gem due to its simple C binding and pleasing syntax. An alternative would have been `rbnacl-libsodium` but I had difficulties compiling the native extension on first try.
**I would like** to have OpenProject rely on a modern password derivation function
**so that** I feel comfortable storing my passwords there.
<s>I
After recent discussions with Markus, we should strive to use BCrypt to provide compatibility with Augur (should we import those hashes into OP accounts some later time).
The most recent password hashing competition winner is [Argon 2](https://password-hashing.net/), but we should wait a while before moving to it despite its improvements over (s|b)crypt.
I’ve preferred the scrypt gem due to its simple C binding and pleasing syntax. An alternative would have been `rbnacl-libsodium` but I had difficulties compiling the native extension on first try.