Consider the future of passlib
and password hashing/upgrading
#15454
Labels
needs discussion
a product management/policy issue maintainers and users should discuss
security
Security-related issues and pull requests
We use
passlib
in warehouse as part of our user account management service:warehouse/warehouse/accounts/services.py
Lines 79 to 93 in 26a3446
The TL;DR of what this does is allows user password hash algorithms to evolve over time, and as users log in with their passwords they are confirmed and replaced with the newer (presumably more secure) hash algorithms, preventing the user from needing to reset a password only to get the latest and greatest algorithm.
passlib hasher docs can be found here: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html
The most recent release of
passlib
was in 2020, and raises warnings for usingcrpyt
, which will turn into breakages under Python 3.13, so this is not yet a blocker, it's something we should consider long before it becomes one.Here's an issue for maintenance status that has yet to be resolved, either by nominating new maintainers, or some other resolution.
In the interim another contender has emerged -
pwdlib
(author launch blog post), which appears to haveargon2
andbcrypt
support.So in theory, we could leverage
pwdlib
and continue to leverage the upgradability-behavior, however we'd still need to account for folks that have yet to log in in modern times and the lack of older algo support inpwdlib
.pwdlib
also does not yet supportdisable()
oris_enabled()
which we use today, but could be replaced by using the boolean flagUser.is_active
or such.Alternately, since it's not urgent yet, we can continue to observe the evolving space around
passlib
and hope that a new maintenance team arises before it becomes a severe issue.Some SQL counting:
The text was updated successfully, but these errors were encountered: