Summary

Supabase Auth already supports verifying argon2id hashes (PR #1597), but GenerateFromPassword still defaults to bcrypt. Request: make argon2id the default for all newly-created password hashes.

Motivation

OWASP Password Storage Cheat Sheet designates Argon2id as first recommendation
bcrypt silently truncates passwords >72 bytes; argon2id has no such limit
argon2id is resistant to GPU/ASIC cracking attacks

Proposed behaviour

New signups use argon2id instead of bcrypt
Existing bcrypt hashes continue to work via the prefix-based dispatcher already in place
On next successful login with old bcrypt hash, transparently re-hash to argon2id
golang.org/x/crypto/argon2 is already a dependency — no new deps needed

References

Community discussion: https://github.com/orgs/supabase/discussions/13130
PR #1597 (argon2id verification already merged)

How to help

Victor Rafael suggests making argon2id the default algorithm for password hashing in Supabase Auth, citing its security advantages over bcrypt. The proposal includes using argon2id for new signups and rehashing existing bcrypt passwords upon successful login. The change leverages existing dependencies and aligns with OWASP recommendations.

Help on GitHub