Turn default hash password algorightm back to pbkdf2 from argon2 until we found a...

* Turn default hash password algorightm back to pbkdf2 from argon2 until we found a better one

* Add a warning on document

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 747173b5ae47e96496b3935841ad459de6f431f6..276b3cb5e809708f912f0bed6dc0ccfac272fbfb 100644 (file)
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -565,7 +565,7 @@ ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;Classes include "lower,upper,digit,spec"
 PASSWORD_COMPLEXITY = off
 ; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
-PASSWORD_HASH_ALGO = argon2
+PASSWORD_HASH_ALGO = pbkdf2
 ; Set false to allow JavaScript to read CSRF cookie
 CSRF_COOKIE_HTTP_ONLY = true
 ; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index b65f59ce0c5c2037f84ec7c7524219f28422e49e..2c4d01102c9c165310385bd1a2dc51e8eace3ab6 100644 (file)
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -401,7 +401,7 @@ relation to port exhaustion.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
-- `PASSWORD_HASH_ALGO`: **argon2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\].
+- `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[argon2, pbkdf2, scrypt, bcrypt\], argon2 will spend more memory than others.
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
 - `MIN_PASSWORD_LENGTH`: **6**: Minimum password length for new users.
 - `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):

diff --git a/modules/setting/setting.go b/modules/setting/setting.go
index 54ddb6937c0b1d6680e486384032caf8ac411eed..be7ec16e10cc11267f3851a6a7d94a1a96233d78 100644 (file)
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@@ -804,7 +804,7 @@ func NewContext() {
        DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(true)
        DisableWebhooks = sec.Key("DISABLE_WEBHOOKS").MustBool(false)
        OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
-       PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("argon2")
+       PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
        CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
        PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)