hydra

Author	SHA1	Message	Date
Your Name	4677a7c894	perlcritic: use strict, use warnings	2021-09-06 22:13:33 -04:00
Graham Christensen	79b0ddc27d	hydra-create-user: re-hash sha1 as Argon2	2021-04-16 12:32:13 -04:00
Graham Christensen	d10d8964f2	Users: add a validation step which lets the user's password be a Argon2 hashed sha1 hash. OWASP suggests expiring all passwords and requiring users to update their password. However, we don't have a way to do this. They suggest this mechanism as a good alternative: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#upgrading-legacy-hashes	2021-04-16 12:32:13 -04:00
Graham Christensen	1da70030b7	Users: transparently upgrade passwords to Argon2 Passwords that are sha1 will be transparently upgraded to argon2, and future comparisons will use Argon2 Co-authored-by: Graham Christensen <graham@grahamc.com>	2021-04-15 11:35:11 -04:00
Graham Christensen	29620df85e	Passwords: check in constant time The default password comparison logic does not use constant time validation. Switching to constant time offers a meager improvement by removing a timing oracle. A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after for validating existing passwords. Co-authored-by: Graham Christensen <graham@grahamc.com>	2021-04-15 11:34:56 -04:00