Allow has_secure_password to configure hashing algorithm

paulspringett · October 26, 2022, 8:43am

I’d like to propose (and offer to implement) additional functionality to the has_secure_password feature, and wanted to gauge the appetite for this from the core team and the community.

The has_secure_password method currently supports bcrypt which has been the industry standard for a good while. However, some advise suggests Argon2id should be the first choice for password hashing, and inevitably eventually the best practices will change (to this or another algorithm).

NB. Cryptography and trends in security best-practices isn’t my area of expertise so please correct me on the above if it’s incorrect

Given the ongoing progression of hardware it feels prudent to firstly support newer hashing algorithms, but also allow has_secure_password to be extensible going forwards.

My proposal would be as follows:

Allow has_secure_password to accept an optional algorithm keyword argument (open to alternative naming suggestions)

This would still default to bcrypt to prevent breaking changes.

For example:

class User < ApplicationRecord
  has_secure_password algorithm: :argon2id
end

Refactor to choose an implementation based on the algorithm specified

Move the bcrypt version into ActiveModel::SecurePassword::BCrypt and delegate methods to that class/module.

Implement other algorithms (such as SCrypt and Argon2Id) which provides the same API as the BCrypt implementation.

Load the implementation based on the algorithm specified on the has_secure_password call (falling back to the default is none provided).

Each implementation can require the relevant underlying gem to perform the hashing.

Future proofing migrations

Considering a future scenario where an app needs to make the switch from bcrypt to say argon2id, a developer could then do the following:

class User < ApplicationRecord
  # Original implementation using BCrypt
  has_secure_password

  # New implementation
  has_secure_password :replacement_password, algorithm: :argon2id
end

The new password could then be safely migrated and stored on successful login:

class SessionsController < ApplicationController
  def create
    if (user = User.authenticate_by(user_params))
      user.replacement_password = user_params[:password]
      user.save!
      redirect_to root_path
    else
      ...
    end
  end

  private

  def user_params
    params.permit(:username, :password)
  end
end

Notes

A suggestion was made for this back in Feb 2021, but rejected without rationale. There may have been perfectly valid reasoning for not considering with hashing algorithms at the time. If this is still the case I would be interested in understanding the reasoning.

github.com/rails/rails

Implement Argon2 as an alternative to using the BCrypt gem

opened 02:03AM - 12 Feb 21 UTC

closed 05:58PM - 12 Feb 21 UTC

ghost

### Steps to reproduce  None known. ### Expected behavior Using both/either `bcrypt` or [`ruby-argon2`](https://github.com/technion/ruby-argon2) should allow access to `has_secure_password`. ### Actual behavior Currently (as far as a relatively new person to Rails knows), only the `bcrypt` gem enables usage of [`has_secure_password`](https://github.com/rails/rails/blob/291a3d2ef29a3842d1156ada7526f4ee60dd2b59/activemodel/lib/active_model/secure_password.rb#L18), aside from external libraries which re-implement methods or change the behaviour of ActiveRecord models. As a comparison with other projects in a similar realm (namely, [Symfony](https://symfony.com/blog/new-in-symfony-4-1-argon2i-configuration) amongst others), Argon2 is an alternative to `bcrypt` which gives developers/users of Rails more flexibility in which password hashing mechanism will work "out of the box" with Rails. ### System configuration **Rails version**: 6.1.2.1 **Ruby version**: 2.7.2 Note: - If any of the above is inappropriate etc. for an issue, or isn't detailed enough, please let me know so I can amend/change the wording of the issue. - If this is already being worked on (and I've done a bad job searching for it), please close this issue.

There’s a third party implement here that shows this is possible to implement

Topic		Replies	Views
Support Different Column Names in has_secure_password rubyonrails-core	5	620	February 6, 2015
has_secure_password: authenticate method rubyonrails-talk	1	151	July 1, 2013
ActiveModel::SecurePassword can handle other algoritms than bcrypt? rubyonrails-core	0	287	May 23, 2020
Enhancements to has_secure_password A May Of WTFs	2	968	May 18, 2020
AR::Base#has_secure_password and PasswordValidator rubyonrails-core	0	242	December 19, 2010

Allow has_secure_password to configure hashing algorithm

Related topics

More Resources