Secure password hashing

I’ve just seen the recent commit [3] on password hashing and would like to propose phps password hash function [1] which is way more secure.

See also [2] why SSHA_512 is nit really secure.

[1] PHP: password_hash - Manual
[2] passwords - Difference between SSHA512 and SHA512 - Cryptography Stack Exchange
[3] https:// git tt-rss org/git/tt-rss/commit/6359259dbb1e8d5b569f569a7089abffd9259d30

nobody is going to put any resources in breaking your tt-rss password.

even if someone decides to use le cloud to break it, they’ll need a password hash first. which implies getting a database dump, at which point they already have everything anyway.

try to relax.

from that link

The more modern approach is then to use Argon2 or bcrypt instead which perform much worse on GPUs.

gitea developers had a brilliant idea to use argon2 for password hashing, by default, which caused OOM crashes because it’s just so unimaginably memory hungry.

which is why, partly at the result of my bug report, gitea is not going to use argon2 for password hashing, by default:

the point here is not throwing the proverbial baby with the bathwater.

also, i must add that

this is a kindergarten-tier understanding of hashing if i ever saw one.

I’m fine with it. It was a proposal.

There is no reason for personal attacks because of a typo.

oh i haven’t meant the typo.