Rodauth 2.10.0 Released

Skip to first unread message

Feb 22, 2021, 11:58:45 AMFeb 22
to Rodauth
Rodauth 2.10.0 has been released!

= New Features

* An argon2 feature has been added that supports using the argon2
  password hashing algorithm instead of the bcrypt password hashing
  algorithm.  While argon2 does not provide an advantage over bcrypt
  if the attacker cannot access the password hashes directly (which
  is how Rodauth is recommended to be used), in cases where attackers
  can access the password hashes directly, argon2 is thought to be
  more difficult or expensive to crack due to requiring more memory
  (bcrypt is not a memory-hard password hash algorithm).

  If you are using this feature with Rodauth's database authentication
  functions, you need to make sure that the database authentication
  functions are configured to support argon2 in addition to bcrypt.
  You can do this by passing the :argon2 option when calling the
  method to define the database functions.  In this example, DB should
  be your Sequel::Database object (this could be self if used in a
  Sequel migration):

    require 'rodauth/migrations'

    # If the functions are already defined and you are not using PostgreSQL,
    # you need to drop the existing functions.

    # If you are using the disallow_password_reuse feature, also drop the
    # database functions related to that if you are not using PostgreSQL:

    # Define new functions that support argon2:
    Rodauth.create_database_authentication_functions(DB, argon2: true)

    # If you are using the disallow_password_reuse feature, also define
    # new functions that support argon2 for that:
    Rodauth.create_database_previous_password_check_functions(DB, argon2: true) 

  You can transparently migrate bcrypt password hashes to argon2
  password hashes whenever a user successfully uses their password
  by using the argon2 feature in combination with the
  update_password_hash feature.

= Other Improvements

* Unnecessary queries to determine whether the new password matches
  a previous password are now skipped when using the create_account
  or verify_account features with the disallow_password_reuse

Reply all
Reply to author
0 new messages