Suggestion: change password hashing from pbkdf2 to bcrypt

[EpicCoder]

Last week I migrated from GitLab to gitea but had problems with the password hashes. GitLab uses 'bcrypt' and gitea uses 'pbkdf2' so I needed to modify gitea to work with 'bcrypt' and now it works fine.

Today I read that GitHub also uses 'bcrypt' for password hashing, so I think it would maybe better to move to 'bcrypt' so it's easier to migrate between different platforms.

[lunny]

For a compatible implementation, we can add a config option to define hash functions. Default is pbkdf2 and you can use bcrypt.

[lunny]

@EpicCoder could you send a PR to do that?

[EpicCoder]

The config option is a good idea. Yes I will working on this and send a PR soon

[d-Pixie]

If you are going to do this I would suggest moving beyond bcrypt as well and add options for scrypt and argon2 as well.

Short on the different algorithms:
PBKDF2 - still the recommendation from NIST but can be meaningfully accelerated on GPU hardware.
bcrypt - proven (1999) technology that uses iteration count and sizable memory requirements to prevent GPU acceleration, can still be meaningfully accelerated on FPGAs.
scrypt - newer (2009) technology that allows implementer to tweak both memory block size and iteration count. Has proven to be weaker than bcrypt IF the memory block size is too small. If you have a system that doesn't need to handle many login attempts per minute, and can hence up the memory block size requirement to something like 256Mb, it is vastly harder to accelerate on FPGAs than bcrypt - but only for now.
argon2 - new technology that won the password hashing algorithm contest a few years back and has already been subjected to several evaluations from cryptography experts (leading to some tweaks in the algorithm). On paper it is the current best choice, but might have some hidden weakness yet to be found.

Choice is always good and these are all good choices depending on what situation you are in. A password hash that specifies the algorithm and config for it is a great idea and would allow one to change on the fly when the circumstances change.