User password hashes: are Argon2 hashes supported?



There is no standard way to store passwords in an SQL database. There are several different ways to do this. privacyIDEA supports the most common ways like Wordpress hashes starting with $P or $S. Secure hashes starting with {SHA} or salted secure hashes starting with {SSHA}, {SSHA256} or {SSHA512}. Password hashes of length 64 are interpreted as OTRS sha256 hashes.

“most common ways like Wordpress hashes” is not explicitly clear …

By default, out of the box, PI appears to use {SSHA256} hash when locally managing/creating users in the internal realm.

Are only the pwd hashes listed above supported?

Specifically, are Argon2id hashes supported? ideally, Argon2id, or even ‘just’ Argon2i?

I do see in PI venv the python argon2x passlib handlers,

cat /lib/python3.6/site-packages/passlib/handlers/
	"""passlib.handlers.argon2 -- argon2 password hash wrapper

	* argon2
	    - home:
	    - whitepaper:
	* argon2 cffi wrapper
	    - pypi:
	    - home:
	* argon2 pure python
	    - pypi:
	    - home:

but, so far, I’ve found no mention of “Argon2” either in PI’s docs, or forums.

Hi, the hash algorithms supported by the SQL Id resolver for hash generation and verification can be found here:

And I guess you’re right, Argon2 is currently unsupported. But as privacyIDEA uses passlib which does implement Argon2 (as you wrote), it shouldn’t be too hard to add Argon2 support to the SQL Id resolver. If you want to take a shot at it, feel free to open a PR!

The million dollar question is, how an application would indicate that the stored hash is an argon hash.
So imho as long as this is not clear there is only limited sense in doing so.
@nope: Which application actually uses Argon2 and what prefix does it use?

The argon hash is currently not supported by privacyIDEA. We could add it to the available passlib context but we would also need to install an argon2 package.