ory · aeneasr · Apr 1, 2021 · Mar 22, 2021 · Mar 23, 2021 · Mar 23, 2021
diff --git a/docs/docs/concepts/credentials/username-email-password.mdx b/docs/docs/concepts/credentials/username-email-password.mdx
@@ -10,7 +10,8 @@ during registration and login.
 ORY Kratos hashes the password after registration, password reset, and password
 change using the [Argon2 Hashing Algorithm](../security.mdx#Argon2), the winner
 of the
-[Password Hashing Competition (PHC)](https:/P-H-C/phc-winner-argon2).
+[Password Hashing Competition (PHC)](https:/P-H-C/phc-winner-argon2),
+or Bcrypt.
 
 ## Configuration
 
@@ -24,8 +25,9 @@ selfservice:
  enabled: true
 ```
 
-in your ORY Kratos configuration. You can configure the Argon2 hasher using the
-following options:
+in your ORY Kratos configuration.
+
+You can configure the Argon2 hasher using the following options:
 
 ```yaml title="path/to/my/kratos/config.yml"
 # $ kratos -c path/to/my/kratos/config.yml serve
@@ -38,6 +40,24 @@ hashers:
  key_length: 32
 ```
 
+By default, Kratos uses Argon2 algorithm for password hashing. Use the following
+option to use Bcrypt algorithm:
+
+```yaml title="path/to/my/kratos/config.yml"
+hashers:
+ algorithm: bcrypt
+```
+
+Bcrypt algorithm can be configured only by the following `cost` option (default
+value is 12):
+
+```yaml title="path/to/my/kratos/config.yml"
+# $ kratos -c path/to/my/kratos/config.yml serve
+hashers:
+ bcrypt:
+ cost: 12
+```
+
 To determine the ideal parameters, head over to the
 [setup guide](../../guides/setting-up-password-hashing-parameters).
 
@@ -337,7 +357,7 @@ credentials:
  - [email protected]
  - johndoe123
  config:
- hashed_password: ... # this would be `argon2(my-secret-password)`
+ hashed_password: ... # this would be a hash of `my-secret-password` string
 ```
 
 Because credential identifiers need to be unique, no other identity can be

@@ -1294,6 +1294,13 @@
  "title": "Hashing Algorithm Configuration",
  "type": "object",
  "properties": {
+ "algorithm": {
+ "title": "Password hashing algorithm",
+ "description": "One of the values: argon2, bcrypt",
+ "type": "string",
+ "default": "argon2",
+ "enum": ["argon2", "bcrypt"]
+ },
  "argon2": {
  "title": "Configuration for the Argon2id hasher.",
  "type": "object",
@@ -1320,6 +1327,20 @@
  }
  },
  "additionalProperties": false
+ },
+ "bcrypt": {
+ "title": "Configuration for the Bcrypt hasher.",
+ "type": "object",
+ "additionalProperties": false,
+ "required": ["cost"],
+ "properties": {
+ "cost": {
+ "type": "integer",
+ "minimum": 12,
+ "maximum": 31,
+ "default": 12
+ }
+ }
  }
  },
  "additionalProperties": false

@@ -36,6 +36,7 @@ const (
  DefaultIdentityTraitsSchemaID = "default"
  DefaultBrowserReturnURL = "default_browser_return_url"
  DefaultSQLiteMemoryDSN = dbal.SQLiteInMemory
+ DefaultPasswordHashingAlgorithm = "argon2"
  UnknownVersion = "unknown version"
  ViperKeyDSN = "dsn"
  ViperKeyCourierSMTPURL = "courier.smtp.connection_uri"
@@ -84,18 +85,21 @@ const (
  ViperKeySelfServiceVerificationBrowserDefaultReturnTo = "selfservice.flows.verification.after." + DefaultBrowserReturnURL
  ViperKeyDefaultIdentitySchemaURL = "identity.default_schema_url"
  ViperKeyIdentitySchemas = "identity.schemas"
+ ViperKeyHasherAlgorithm = "hashers.algorithm"
  ViperKeyHasherArgon2ConfigMemory = "hashers.argon2.memory"
  ViperKeyHasherArgon2ConfigIterations = "hashers.argon2.iterations"
  ViperKeyHasherArgon2ConfigParallelism = "hashers.argon2.parallelism"
  ViperKeyHasherArgon2ConfigSaltLength = "hashers.argon2.salt_length"
  ViperKeyHasherArgon2ConfigKeyLength = "hashers.argon2.key_length"
+ ViperKeyHasherBcryptCost = "hashers.bcrypt.cost"
  ViperKeyPasswordMaxBreaches = "selfservice.methods.password.config.max_breaches"
  ViperKeyIgnoreNetworkErrors = "selfservice.methods.password.config.ignore_network_errors"
  ViperKeyVersion = "version"
  Argon2DefaultMemory uint32 = 4 * 1024 * 1024
  Argon2DefaultIterations uint32 = 4
  Argon2DefaultSaltLength uint32 = 16
  Argon2DefaultKeyLength uint32 = 32
+ BcryptDefaultCost uint32 = 12
 )
 
 // DefaultSessionCookieName returns the default cookie name for the kratos session.
@@ -109,6 +113,9 @@ type (
  SaltLength uint32 `json:"salt_length"`
  KeyLength uint32 `json:"key_length"`
  }
+ Bcrypt struct {
+ Cost uint32 `json:"cost"`
+ }
  SelfServiceHook struct {
  Name string `json:"hook"`
  Config json.RawMessage `json:"config"`
@@ -235,6 +242,14 @@ func (p *Config) HasherArgon2() *Argon2 {
  }
 }
 
+func (p *Config) HasherBcrypt() *Bcrypt {
+ // warn about usage of default values and point to the docs
+ // warning will require https:/ory/viper/issues/19
+ return &Bcrypt{
+ Cost: uint32(p.p.IntF(ViperKeyHasherBcryptCost, int(BcryptDefaultCost))),
+ }
+}
+
 func (p *Config) listenOn(key string) string {
  fb := 4433
  if key == "admin" {
@@ -732,3 +747,15 @@ func (p *Config) PasswordPolicyConfig() *PasswordPolicy {
  IgnoreNetworkErrors: p.p.BoolF(ViperKeyIgnoreNetworkErrors, true),
  }
 }
+
+func (p *Config) HasherPasswordHashingAlgorithm() string {
+ configValue := p.p.StringF(ViperKeyHasherAlgorithm, DefaultPasswordHashingAlgorithm)
+ switch configValue {
+ case "bcrypt":
+ return configValue
+ case "argon2":
+ fallthrough
+ default:
+ return configValue
+ }
+}
@@ -358,7 +358,11 @@ func (m *RegistryDefault) SessionHandler() *session.Handler {
 
 func (m *RegistryDefault) Hasher() hash.Hasher {
  if m.passwordHasher == nil {
- m.passwordHasher = hash.NewHasherArgon2(m)
+ if m.c.HasherPasswordHashingAlgorithm() == "bcrypt" {
+ m.passwordHasher = hash.NewHasherBcrypt(m)
+ } else {
+ m.passwordHasher = hash.NewHasherArgon2(m)
+ }
  }
  return m.passwordHasher
 }

@@ -0,0 +1,107 @@
+package hash
+
+import (
+ "context"
+ "crypto/subtle"
+ "encoding/base64"
+ "fmt"
+ "regexp"
+ "strings"
+
+ "github.com/pkg/errors"
+ "golang.org/x/crypto/argon2"
+ "golang.org/x/crypto/bcrypt"
+
+ "github.com/ory/kratos/driver/config"
+)
+
+var ErrUnknownHashAlgorithm = errors.New("unknown hash algorithm")
+
+func Compare(ctx context.Context, password []byte, hash []byte) error {
+ if isBcryptHash(hash) {
+ return CompareBcrypt(ctx, password, hash)
+ } else if isArgon2idHash(hash) {
+ return CompareArgon2id(ctx, password, hash)
+ } else {
+ return ErrUnknownHashAlgorithm
+ }
+}
+
+func CompareBcrypt(_ context.Context, password []byte, hash []byte) error {
+ if err := validateBcryptPasswordLength(password); err != nil {
+ return err
+ }
+
+ err := bcrypt.CompareHashAndPassword(hash, password)
+ if err != nil {
+ return err
+ }
+
+ return nil
+}
+
+func CompareArgon2id(_ context.Context, password []byte, hash []byte) error {
+ // Extract the parameters, salt and derived key from the encoded password
+ // hash.
+ p, salt, hash, err := decodeArgon2idHash(string(hash))
+ if err != nil {
+ return err
+ }
+
+ // Derive the key from the other password using the same parameters.
+ otherHash := argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.KeyLength)
+
+ // Check that the contents of the hashed passwords are identical. Note
+ // that we are using the subtle.ConstantTimeCompare() function for this
+ // to help prevent timing attacks.
+ if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
+ return nil
+ }
+ return ErrMismatchedHashAndPassword
+}
+
+func isBcryptHash(hash []byte) bool {
+ res, _ := regexp.Match("^\\$2[abzy]?\\$", hash)
+ return res
+}
+
+func isArgon2idHash(hash []byte) bool {
+ res, _ := regexp.Match("^\\$argon2id\\$", hash)
+ return res
+}
+
+func decodeArgon2idHash(encodedHash string) (p *config.Argon2, salt, hash []byte, err error) {
+ parts := strings.Split(encodedHash, "$")
+ if len(parts) != 6 {
+ return nil, nil, nil, ErrInvalidHash
+ }
+
+ var version int
+ _, err = fmt.Sscanf(parts[2], "v=%d", &version)
+ if err != nil {
+ return nil, nil, nil, err
+ }
+ if version != argon2.Version {
+ return nil, nil, nil, ErrIncompatibleVersion
+ }
+
+ p = new(config.Argon2)
+ _, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &p.Memory, &p.Iterations, &p.Parallelism)
+ if err != nil {
+ return nil, nil, nil, err
+ }
+
+ salt, err = base64.RawStdEncoding.Strict().DecodeString(parts[4])
+ if err != nil {
+ return nil, nil, nil, err
+ }
+ p.SaltLength = uint32(len(salt))
+
+ hash, err = base64.RawStdEncoding.Strict().DecodeString(parts[5])
+ if err != nil {
+ return nil, nil, nil, err
+ }
+ p.KeyLength = uint32(len(hash))
+
+ return p, salt, hash, nil
+}
@@ -4,9 +4,6 @@ import "context"
 
 // Hasher provides methods for generating and comparing password hashes.
 type Hasher interface {
- // Compare a password to a hash and return nil if they match or an error otherwise.
- Compare(ctx context.Context, password []byte, hash []byte) error
-
  // Generate returns a hash derived from the password or an error if the hash method failed.
  Generate(ctx context.Context, password []byte) ([]byte, error)
 }

@@ -4,10 +4,8 @@ import (
  "bytes"
  "context"
  "crypto/rand"
- "crypto/subtle"
  "encoding/base64"
  "fmt"
- "strings"
 
  "github.com/pkg/errors"
  "golang.org/x/crypto/argon2"
@@ -59,59 +57,3 @@ func (h *Argon2) Generate(ctx context.Context, password []byte) ([]byte, error)
 
  return b.Bytes(), nil
 }
-
-func (h *Argon2) Compare(ctx context.Context, password []byte, hash []byte) error {
- // Extract the parameters, salt and derived key from the encoded password
- // hash.
- p, salt, hash, err := decodeHash(string(hash))
- if err != nil {
- return err
- }
-
- // Derive the key from the other password using the same parameters.
- otherHash := argon2.IDKey([]byte(password), salt, p.Iterations, p.Memory, p.Parallelism, p.KeyLength)
-
- // Check that the contents of the hashed passwords are identical. Note
- // that we are using the subtle.ConstantTimeCompare() function for this
- // to help prevent timing attacks.
- if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
- return nil
- }
- return ErrMismatchedHashAndPassword
-}
-
-func decodeHash(encodedHash string) (p *config.Argon2, salt, hash []byte, err error) {
- parts := strings.Split(encodedHash, "$")
- if len(parts) != 6 {
- return nil, nil, nil, ErrInvalidHash
- }
-
- var version int
- _, err = fmt.Sscanf(parts[2], "v=%d", &version)
- if err != nil {
- return nil, nil, nil, err
- }
- if version != argon2.Version {
- return nil, nil, nil, ErrIncompatibleVersion
- }
-
- p = new(config.Argon2)
- _, err = fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &p.Memory, &p.Iterations, &p.Parallelism)
- if err != nil {
- return nil, nil, nil, err
- }
-
- salt, err = base64.RawStdEncoding.DecodeString(parts[4])
- if err != nil {
- return nil, nil, nil, err
- }
- p.SaltLength = uint32(len(salt))
-
- hash, err = base64.RawStdEncoding.DecodeString(parts[5])
- if err != nil {
- return nil, nil, nil, err
- }
- p.KeyLength = uint32(len(hash))
-
- return p, salt, hash, nil
-}