Password Storage
Implement Strong Password Hashing
Use Argon2id: Configure Flask-Security to use Argon2id as your primary password hashing algorithm, which is currently considered the most secure option
Fallback Configuration: Maintain bcrypt as a fallback for compatibility
Implementation:
# In your app configuration
SECURITY_PASSWORD_HASH = 'argon2'
SECURITY_PASSWORD_SALT = 'your_secure_salt_here' # Use a strong random value
## Configure Argon2 parameters
SECURITY_ARGON2_PARAMETERS = {
'memory_cost': 16384, # 16 MB
'time_cost': 2, # Number of iterations
'parallelism': 2 # Number of parallel threads
}Secure Salt Management
Use Environment Variables: Store your password salt in environment variables, not in code
Unique Salt: Ensure each user has a unique salt component in addition to the global salt
Salt Length: Use a salt of at least 16 bytes (128 bits)
Password Policies
Implement Strong Password Requirements
Minimum Length: Require passwords to be at least 12 characters long
Complexity: Require a mix of character types (uppercase, lowercase, numbers, special characters)
Implementation:
## Custom password validator for Flask-Security
def password_validator(password, user=None):
if len(password) < 12:
return False
if not any(c.isupper() for c in password):
return False
if not any(c.islower() for c in password):
return False
if not any(c.isdigit() for c in password):
return False
if not any(c in "!@#$%^&*()_-+={}[]|:;<>,.?/~`" for c in password):
return False
return True## In your app configuration
SECURITY_PASSWORD_CHECK_BREACHED = True # Check against known breached passwords
SECURITY_PASSWORD_COMPLEXITY_CHECKER = password_validator
Password Blacklisting
Common Password Check: Reject commonly used or easily guessable passwords
Personal Information: Prevent passwords containing usernames or other personal information
Implementation: Use a library like zxcvbn to evaluate password strength
Password Storage
Implement Strong Password Hashing
Use Argon2id: Configure Flask-Security to use Argon2id as your primary password hashing algorithm, which is currently considered the most secure option
Fallback Configuration: Maintain bcrypt as a fallback for compatibility
Implementation:
Secure Salt Management
Use Environment Variables: Store your password salt in environment variables, not in code
Unique Salt: Ensure each user has a unique salt component in addition to the global salt
Salt Length: Use a salt of at least 16 bytes (128 bits)
Password Policies
Implement Strong Password Requirements
Minimum Length: Require passwords to be at least 12 characters long
Complexity: Require a mix of character types (uppercase, lowercase, numbers, special characters)
Implementation:
Password Blacklisting
Common Password Check: Reject commonly used or easily guessable passwords
Personal Information: Prevent passwords containing usernames or other personal information
Implementation: Use a library like zxcvbn to evaluate password strength