Which password hashing algorithms are supported

[Erudition]

Documentation Issue

I cannot find anything in the documentation on how the password hashing works. I see the hash and salt are stored in the database, but not a field regarding which algorithm was used (does this mean it's hardcoded?)

Additional Details

We at Snowdrift.coop are currently using PBKDF1, for example, and now that Payload is FLO I'd like to advocate using it for our new site. If we could migrate our user database without having to force everyone to reset their password, that would be a boon.

Ideally, we store the old hashes with a hash algo field set to PBKDF1, and upon password reset Payload can replace it with whatever it uses as default. Both would co-exist peacefully and the old records would slowly be replaced over time.

[jmikrut]

Hey @Erudition — we use passport-local-mongoose for password hashing.

There, you can configure the hashing algorithm and many more options:

https://github.com/saintedlama/passport-local-mongoose#options

But, we don't currently expose a way to override passport-local-mongoose options, and we may be sunsetting our usage of this plugin entirely as it is if we want to move to other databases. So, I'd say that it'd be pretty easy for the Payload config to expose a way to customize passport-local-mongoose options, but that may be a temporary measure if we do decide to scrap it.

What are your thoughts?

PS - I'm going to move this to a Discussion so we can continue there!

[Erudition]

We're fine with the temporary nature of that solution, actually, because we only want to migrate our current users off of the PBKDF1-hashed passwords they currently have, to whatever else going forward. This would allow us to switch to Payload sooner, as we don't want to force every user out there to do a password reset.

I'm not seeing PBKDF1 on that mongoose page, but I do see PBKDF2 mentioned, so perhaps this isn't possible either way.

Do you have an alternative idea for how we can migrate our user account table to Payload? Thanks!

[jmikrut]

Hey @Erudition — we've actually recently built the Extensible Authentication Strategies feature that's on our roadmap. This means that now you can build your own strategy and authenticate however you need. This could be an option for you.

Tomorrow, we're releasing 1.0, which will include that feature. It will let you use any Passport auth strategy that exists, so in the meantime, you could take a peek through the PassportJS strategies and see if you can find one that suits you (or, build your own).

Exciting times ahead!