Strong Password Hashes
Due to the limitations of OpenLDAP we currently use HASHED_SALTED_SHA512
i.e. plain SHA2 with a salt. That is a pretty weak method for password hashing, especially compared to algortihms like bcrypt/scrypt or the more recent argon2.
After dropping LDAP support we should switch to argon2. The Python package argon2-cffi
is available in Debian Buster as python3-argon2
.