[keycloak-dev] argon2 password hashing
Stian Thorgersen
sthorger at redhat.com
Mon Apr 25 11:30:37 EDT 2016
We an to introduce a password policy spi soon, but for now you're stuck
with the built-in policies.
On 25 Apr 2016 16:43, "Bruno Oliveira" <bruno at abstractj.org> wrote:
> I believe we don't have an SPI for this, yet. See:
> https://issues.jboss.org/browse/KEYCLOAK-2824.
>
> IMO, Argon2 is completely new and aside from the bindings, we don't have
> a Java implementation, yet for this. I'm not sure if is a good idea to
> introduce C to the codebase, but totally doable to have an SPI for
> policies.
>
> On 2016-04-25, Roelof Naude wrote:
> > hi,
> >
> > a client has requested the use of the argon2 [1, 2] password hashing
> > scheme. this can easily be added as an external provider. we do however
> > require custom password policies, e.g. memory / parallelism cost as well
> as
> > salt length. AFAIK there is no way to provide policy extensions using a
> > provider interface?
> >
> > would argon2 be a worthwhile contribution?
> >
> > regards
> > roelof.
> >
> > [1] https://github.com/P-H-C/phc-winner-argon2
> > [2] https://github.com/phxql/argon2-jvm
>
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> --
>
> abstractj
> PGP: 0x84DC9914
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160425/4522ea4d/attachment.html
More information about the keycloak-dev
mailing list