SHA-1 to protect password is now considered as less and less secure (more explanations : https://www.incapsula.com/blog/sha-1-hash-algorithm-deprecation.html).
So we should upgrade for a stronger hash function implementation, we choose bcrypt for the time being.
Since passwords are hashed in the database, migrate all passwords to the new algorithm is not possible. So SonarQube must be able to keep old SHA1 hash and salt but must upgrade the hash. This is done as soon as the user :
- log in SonarQube,
- change his password
There are multiple implementations that are sufficient for the time being :
- PBKDF2 (even if it's less secured)
Some litterature about cryptographic hash function :
Java Implementations :
- https://github.com/andreas1327250/argon2-java (quality not sufficient)
- https://legacy.gitbook.com/book/jedisct1/libsodium/details (requires JNA)
There is no good implementation in pure Java for Argon2, let's keep using bcrypt with jBCrypt