Consider changing default encoder in PasswordEncoderFactories

[jgrandja]

The default PasswordEncoder in PasswordEncoderFactories is BCryptPasswordEncoder.

We should consider changing the default to another PasswordEncoder based on the recommendations in OWASP Password Storage Cheat Sheet.

[evgeniycheban]

Hi, @jgrandja I can work on it.

[evgeniycheban]

@jgrandja according to the link you provided we should use Argon2 by default instead of bcrypt, I see that currently we have 2 factory methods that produce Argon2PasswordEncoder for spring security 5.2 and 5.8 with different configuration to keep backward compatibility with passwords that were encoded in previous versions of spring security, so I would add a new factory-method defaultsForSpringSecurity_v7 that returns Argon2PasswordEncoder with recommended configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism as suggested in the link. Then in the method PasswordEncoderFactories#createDelegatingPasswordEncoder we can add it to encoders map like argon2@Spring_Security_v7 and switch default encoder to argon2@Spring_Security_v7 as well.

[jgrandja]

Thanks again @evgeniycheban.

I added the for:team-attention label to this ticket as well as gh-16880 as the team needs to discuss this before we proceed with any changes. I will get back to you as soon as we decide on the approach. Thanks for your patience.