-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Default Password Alg. settable on the install page #14674
Comments
Please think very carefully about this - this is a clear downgrade in term of security that everyone upgrading will need to address themselves and adjust config accordingly if they don't wish to accept it. Make sure that if you proceed with reverting default algo to pbkdf2, it is clearly communicated in release notes along with example given to users on how to avoid this change happening.
Nothing against this |
There's a balance here. Argon2 is clearly causing multiple problems. I cannot recommend argon2 in good conscience at present. I agree we need to make this very clear on the blog post releasing the version as it clearly is extreme |
We should notice that on our release notes of v1.13.3 and v1.14.0 . And this is only default algorithm, users could still change them on configuration file. |
Fix go-gitea#14674 Signed-off-by: Andrew Thornton <art27@cantab.net>
Add Password Algorithm option to install page Fix #14674 Co-authored-by: John Olheiser <john.olheiser@gmail.com>
... we just move back to pbkdf2 but make it settable on the install page with warnings about the issues.
Originally posted by @zeripath in #14294 (comment)
The text was updated successfully, but these errors were encountered: