Implement password hashing with argon2-cffi

[remram44]

Fixes #2426

The hashlib hashing method could probably be removed from passwd() since nothing ever specifies the algorithm argument. Should probably be kept in passwd_check() until people update their configs.

[nealmcb]

Thank you - I agree that the current non-iterated use of SHA-1 is awful.
But as I noted at #2426 (comment), I think hashlib.pbkdf2_hmac which is already in standard Python might be more appropriate.

I also think it is now clear that Argon2 is better than bcrypt, and I wonder if using it (and adding a dependency on it) instead of bcrypt might be more appropriate now.

Or maybe Argon2 will come to the standard Python3 library soon?
Anyway, thanks!

[remram44]

I'm happy to make further changes and look into stdlib facilities if/when a project member expresses interest in this.

[blink1073]

Hi @remram44, we're catching up on PR review. I'd support the use of hashlib.pbkdf2_hmac as a compromise that improves the hashing without taking on an external dependency. Are you able to pick this work back up?

[nealmcb]

I wonder if scrypt is appropriate by now. scrypt is significantly better than pbkdf2, since it is memory-hard, and is supported in Python 3.6 (scrypt), and requires OpenSSL 1.1+

I also note this interesting reflection on argon2: https://twitter.com/Sc00bzT/status/1149950559258140673

[blink1073]

I'll defer to your expertise here @nealmcb. Given that argon2 is available on conda-forge I'd support taking it on as a dependency.

[nealmcb]

I have some thoughts that I'll take to the main issue #2426.

[remram44]

This can easily be updated to another method, if a consensus is reached.

[blink1073]

@remram44 if you make these changes I'll go ahead and merge: #2426 (comment)

[remram44]

I rebased, and switched to argon2-cffi as requested.

A point that was mentioned by @nealmcb was making the Argon2 parameters configurable via jupyter_notebook_config.py, however I am not sure that loading that config file in passwd() is appropriate. Also I am a little confused about the different approaches in dealing with the config file (this vs this).

[blink1073]

It looks like auth/__main__.py should be calling out to auth/secruity.py (needs a refactor).
I think we can take up optimizations in further PRs, let's merge and iterate.

[CaselIT]

Any reason this was not also added to jupyter_server and ipython that have the same implementation of these functions?

[remram44]

I don't think jupyter_server existed when I opened this PR. It took 2 years to merge.

[nealmcb]

Thanks to everyone for getting this wrapped up last year.
It might help to change the title line of this issue, to clarify that we ended up using argon2_cffi, not bcrypt. I guess perhaps only the owner can do that?