mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-16 21:56:25 -05:00
1.2 KiB
1.2 KiB
verdaccio-htpasswd |
---|
major |
feat: allow other password hashing algorithms (#1917)
breaking change
The current implementation of the htpasswd
module supports multiple hash formats on verify, but only crypt
on sign in.
crypt
is an insecure old format, so to improve the security of the new verdaccio
release we introduce the support of multiple hash algorithms on sign in step.
New hashing algorithms
The new possible hash algorithms to use are bcrypt
, md5
, sha1
. bcrypt
is chosen as a default, because of its customizable complexity and overall reliability. You can read more about them here.
Two new properties are added to auth
section in the configuration file:
algorithm
to choose the way you want to hash passwords.rounds
is used to determinebcrypt
complexity. So one can improve security according to increasing computational power.
Example of the new auth
config file section:
auth:
htpasswd:
file: ./htpasswd
max_users: 1000
# Hash algorithm, possible options are: "bcrypt", "md5", "sha1", "crypt".
algorithm: bcrypt
# Rounds number for "bcrypt", will be ignored for other algorithms.
rounds: 10