I've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to
replace the existing simple and insecure SHA1-based password hashing
To load, start with fresh Pharo 7 image:
"First load Seaside."
"Then load TF-Login."
As originally implemented, TF-Login also supports cookie-based auto-login,
which works by storing username and the SHA1-hashed password in client
cookies. This scheme is certainly not secure by current standards and can't
be used together with PBKDF2-HMAC-SHA1 password hashing.
Possible future work on TF-Login password management:
- OAuth2, to replace the existing insecure cookie-based auto-login