To enhance password security

[rktyt]

Currently (as of v3.35.1), it's not easy to customize password validation (password policy).
To do it properly, you need to enable the disableLocalStrategy option and implement a custom strategy.
But that's not really what we're aiming for — it should be supported out of the box.

I also think the password hashing algorithm should be configurable out of the box, without having to override the entire auth strategy.
PBKDF2 is currently used for password hashing, but the iterations and digest settings are hardcoded, making them non-configurable.
Our organization is required to follow the OWASP guidelines (see: OWASP Password Storage Cheat Sheet), and as such, the current implementation of password hashing doesn't meet our requirements.
In some cases, we may also prefer to use Argon2id instead of PBKDF2.
Additionally, the strength requirements for password hashes are reviewed annually.

Related issues or discussions:

• I'm unable to change the validation rules for the password field in the users collection. #11982
• How to add a hook for password under user.ts #2615
• feat req: Hash password in the frontend for better security #12189
• Which password hashing algorithms are supported #616
• Improved Authentication in Payload #3298

---

I think it would be ideal if it could be specified as follows.

import type { CollectionConfig } from 'payload'

export const Users: CollectionConfig = {
  ...
  auth: {
    password: {
      /*  Password policy configuration */
      policy: {// optional
        minLength: 12, // optional: default 3
        maxLength: 255, // optional
        requiredCharcterTypes: {// optional
          special: true, // same as symbols
          uppercase: true, // Uppercase alphabetic characters
          lowercase: true, // Lowercase alphabetic characters
          numbers: true,
        },
        supportSpecialCharacters: '^$*.[]{}()?"!@#%&/\\,><\':;|_~`=+- ', // optional
        expiration: 90 * 24 * 60 * 60 * 1000, // optional: Upon successful login, if the specified time has elapsed since the password was set or updated, the user is redirected to the password change screen. While this is no longer strictly necessary, it may still be required due to company policies.
      },
      /* Alternatively, only the password validation method can be specified */
      validate(value) { // optional
        // The same type as TextFieldSingleValidation
        // Any validation code

        return true // no errors
      },

      /* Password hashing configuration */
      hash: { // optional
        algorithm: 'pbkdf2', // 'argon2id' or others
        // The required libraries are specified as optional dependencies. Currently, supporting argon2id and pbkdf2 should be sufficient.
        params: { // Available properties depend on the chosen algorithm.
          iterators: 210_000,
          digest: 'sha512',
        },
        /*
        Notes:
        It is necessary to consider how to update the hashes of existing records when configuration changes are made.
        At the very least, the configuration values should be stored in the database.
        It would be ideal to have a flow similar to the one described at https://experienceleague.adobe.com/en/docs/commerce-operations/configuration-guide/security/password-hashing.
        */
      },
    },
  },
}