build(deps): update module github.com/go-crypt/crypt to v0.2.2 (#4452)

2022-12-05 09:37:08 +11:00 · 2022-12-05 09:37:08 +11:00 · 0aa6745059
parent 87004ccb57
commit 0aa6745059
17 changed files with 232 additions and 143 deletions
--- a/go.mod
+++ b/go.mod
@ -11,7 +11,7 @@ require (
 	github.com/fasthttp/session/v2 v2.4.13
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/go-asn1-ber/asn1-ber v1.5.4
-	github.com/go-crypt/crypt v0.1.14
+	github.com/go-crypt/crypt v0.2.2-0.20221204130046-b13cb0ef6218
 	github.com/go-ldap/ldap/v3 v3.4.4
 	github.com/go-rod/rod v0.112.2
 	github.com/go-sql-driver/mysql v1.7.0
@ -63,7 +63,7 @@ require (
 	github.com/ecordell/optgen v0.0.6 // indirect
 	github.com/facebookgo/stack v0.0.0-20160209184415-751773369052 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
-	github.com/go-crypt/x v0.1.3 // indirect
+	github.com/go-crypt/x v0.1.7 // indirect
 	github.com/go-redis/redis/v8 v8.11.5 // indirect
 	github.com/go-webauthn/revoke v0.1.6 // indirect
 	github.com/golang/glog v1.0.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -162,10 +162,12 @@ github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrt
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-crypt/crypt v0.1.14 h1:Pd8iBYlbwDXJNi0lz8CS/qYvpvxCfP0XO/f5PYvVQ4o=
-github.com/go-crypt/crypt v0.1.14/go.mod h1:VNLdWMD0go46arq5WVZB2MV/9Vw02FOWhKDORXl7K2c=
-github.com/go-crypt/x v0.1.3 h1:3YSlHqOZsw4gcPzfqrcc5kg4GIhTKmkjl/ZVqJ3CbbU=
-github.com/go-crypt/x v0.1.3/go.mod h1:/6X1DjQki055ajXV/7pCHZM0OmMR1+csiXFkxK73Kc8=
+github.com/go-crypt/crypt v0.2.2-0.20221204120525-4373dc528789 h1:y7pQxv0gsIDxE2tHivIDl/XPWengErnLp3gHziZO4aI=
+github.com/go-crypt/crypt v0.2.2-0.20221204120525-4373dc528789/go.mod h1:7SeCrKOWqS3D2kHUVflBbWhL+MvLCZh+knAcnaFbjLM=
+github.com/go-crypt/crypt v0.2.2-0.20221204130046-b13cb0ef6218 h1:UviO2jAV5i6WUy9HzaabOVVLuMBhnU//HrwkJ+ZcJBA=
+github.com/go-crypt/crypt v0.2.2-0.20221204130046-b13cb0ef6218/go.mod h1:7SeCrKOWqS3D2kHUVflBbWhL+MvLCZh+knAcnaFbjLM=
+github.com/go-crypt/x v0.1.7 h1:iSkIkmwFlRLrPraB2rge7WIjomAlSUHI+H200p9pPdc=
+github.com/go-crypt/x v0.1.7/go.mod h1:io9lPvPf2qNHWLZWdvxjXT7Z4zBGRNvWq60t/vqrBgY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
--- a/internal/authentication/file_user_provider.go
+++ b/internal/authentication/file_user_provider.go
@ -8,7 +8,12 @@ import (
 	"sync"
 	"time"

-	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
+	"github.com/go-crypt/crypt/algorithm/argon2"
+	"github.com/go-crypt/crypt/algorithm/bcrypt"
+	"github.com/go-crypt/crypt/algorithm/pbkdf2"
+	"github.com/go-crypt/crypt/algorithm/scrypt"
+	"github.com/go-crypt/crypt/algorithm/shacrypt"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/logging"
@ -17,7 +22,7 @@ import (
 // FileUserProvider is a provider reading details from a file.
 type FileUserProvider struct {
 	config        *schema.FileAuthenticationBackend
-	hash          crypt.Hash
+	hash          algorithm.Hash
 	database      *FileUserDatabase
 	mutex         *sync.Mutex
 	timeoutReload time.Time
@ -145,39 +150,50 @@ func (p *FileUserProvider) setTimeoutReload(now time.Time) {
 }

 // NewFileCryptoHashFromConfig returns a crypt.Hash given a valid configuration.
-func NewFileCryptoHashFromConfig(config schema.Password) (hash crypt.Hash, err error) {
+func NewFileCryptoHashFromConfig(config schema.Password) (hash algorithm.Hash, err error) {
 	switch config.Algorithm {
 	case hashArgon2, "":
-		hash = crypt.NewArgon2Hash().
-			WithVariant(crypt.NewArgon2Variant(config.Argon2.Variant)).
-			WithT(config.Argon2.Iterations).
-			WithM(config.Argon2.Memory).
-			WithP(config.Argon2.Parallelism).
-			WithK(config.Argon2.KeyLength).
-			WithS(config.Argon2.SaltLength)
+		hash, err = argon2.New(
+			argon2.WithVariantName(config.Argon2.Variant),
+			argon2.WithT(config.Argon2.Iterations),
+			argon2.WithM(uint32(config.Argon2.Memory)),
+			argon2.WithP(config.Argon2.Parallelism),
+			argon2.WithK(config.Argon2.KeyLength),
+			argon2.WithS(config.Argon2.SaltLength),
+		)
 	case hashSHA2Crypt:
-		hash = crypt.NewSHA2CryptHash().
-			WithVariant(crypt.NewSHA2CryptVariant(config.SHA2Crypt.Variant)).
-			WithRounds(config.SHA2Crypt.Iterations).
-			WithSaltLength(config.SHA2Crypt.SaltLength)
+		hash, err = shacrypt.New(
+			shacrypt.WithVariantName(config.SHA2Crypt.Variant),
+			shacrypt.WithIterations(config.SHA2Crypt.Iterations),
+			shacrypt.WithSaltLength(config.SHA2Crypt.SaltLength),
+		)
 	case hashPBKDF2:
-		hash = crypt.NewPBKDF2Hash().
-			WithVariant(crypt.NewPBKDF2Variant(config.PBKDF2.Variant)).
-			WithIterations(config.PBKDF2.Iterations).
-			WithSaltLength(config.PBKDF2.SaltLength)
+		hash, err = pbkdf2.New(
+			pbkdf2.WithVariantName(config.PBKDF2.Variant),
+			pbkdf2.WithIterations(config.PBKDF2.Iterations),
+			pbkdf2.WithSaltLength(config.PBKDF2.SaltLength),
+		)
 	case hashSCrypt:
-		hash = crypt.NewScryptHash().
-			WithLN(config.SCrypt.Iterations).
-			WithP(config.SCrypt.Parallelism).
-			WithR(config.SCrypt.BlockSize)
+		hash, err = scrypt.New(
+			scrypt.WithLN(config.SCrypt.Iterations),
+			scrypt.WithP(config.SCrypt.Parallelism),
+			scrypt.WithR(config.SCrypt.BlockSize),
+			scrypt.WithKeyLength(config.SCrypt.KeyLength),
+			scrypt.WithSaltLength(config.SCrypt.SaltLength),
+		)
 	case hashBCrypt:
-		hash = crypt.NewBcryptHash().
-			WithVariant(crypt.NewBcryptVariant(config.BCrypt.Variant)).
-			WithCost(config.BCrypt.Cost)
+		hash, err = bcrypt.New(
+			bcrypt.WithVariantName(config.BCrypt.Variant),
+			bcrypt.WithIterations(config.BCrypt.Cost),
+		)
 	default:
 		return nil, fmt.Errorf("algorithm '%s' is unknown", config.Algorithm)
 	}

+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize hash settings: %w", err)
+	}
+
 	if err = hash.Validate(); err != nil {
 		return nil, fmt.Errorf("failed to validate hash settings: %w", err)
 	}
--- a/internal/authentication/file_user_provider_database.go
+++ b/internal/authentication/file_user_provider_database.go
@ -8,6 +8,7 @@ import (

 	"github.com/asaskevich/govalidator"
 	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
 	"gopkg.in/yaml.v3"
 )

@ -203,7 +204,7 @@ func (m *FileUserDatabase) ToDatabaseModel() (model *DatabaseModel) {
 // DatabaseUserDetails is the model of user details in the file database.
 type DatabaseUserDetails struct {
 	Username    string
-	Digest      crypt.Digest
+	Digest      algorithm.Digest
 	Disabled    bool
 	DisplayName string
 	Email       string
@ -308,7 +309,7 @@ type UserDetailsModel struct {

 // ToDatabaseUserDetailsModel converts a UserDetailsModel into a *DatabaseUserDetails.
 func (m UserDetailsModel) ToDatabaseUserDetailsModel(username string) (model *DatabaseUserDetails, err error) {
-	var d crypt.Digest
+	var d algorithm.Digest

 	if d, err = crypt.Decode(m.HashedPassword); err != nil {
 		return nil, err
--- a/internal/authentication/file_user_provider_test.go
+++ b/internal/authentication/file_user_provider_test.go
@ -252,7 +252,7 @@ func TestShouldRaiseWhenLoadingDatabaseWithBadSHA512HashesForTheFirstTime(t *tes

 		provider := NewFileUserProvider(&config)

-		assert.EqualError(t, provider.StartupCheck(), "error decoding the authentication database: failed to parse hash for user 'john': sha2crypt decode error: provided encoded hash has an invalid option: option 'rounds00000' is invalid")
+		assert.EqualError(t, provider.StartupCheck(), "error decoding the authentication database: failed to parse hash for user 'john': shacrypt decode error: parameter pair 'rounds00000' is not properly encoded: does not contain kv separator '='")
 	})
 }

@ -263,7 +263,7 @@ func TestShouldRaiseWhenLoadingDatabaseWithBadArgon2idHashSettingsForTheFirstTim

 		provider := NewFileUserProvider(&config)

-		assert.EqualError(t, provider.StartupCheck(), "error decoding the authentication database: failed to parse hash for user 'john': argon2 decode error: provided encoded hash has an invalid option: option 'm65536' is invalid")
+		assert.EqualError(t, provider.StartupCheck(), "error decoding the authentication database: failed to parse hash for user 'john': argon2 decode error: parameter pair 'm65536' is not properly encoded: does not contain kv separator '='")
 	})
 }

--- a/internal/commands/crypto_hash.go
+++ b/internal/commands/crypto_hash.go
@ -5,6 +5,7 @@ import (
 	"strings"

 	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"

@ -272,8 +273,8 @@ func newCryptoHashValidateCmd() (cmd *cobra.Command) {

 func cmdCryptoHashGenerateFinish(cmd *cobra.Command, args []string, flagsMap map[string]string) (err error) {
 	var (
-		algorithm string
-		configs   []string
+		algName string
+		configs []string

 		c schema.Password
 	)
@ -294,25 +295,25 @@ func cmdCryptoHashGenerateFinish(cmd *cobra.Command, args []string, flagsMap map
 		break
 	case legacy:
 		if sha512, _ := cmd.Flags().GetBool(cmdFlagNameSHA512); sha512 {
-			algorithm = cmdUseHashSHA2Crypt
+			algName = cmdUseHashSHA2Crypt
 		} else {
-			algorithm = cmdUseHashArgon2
+			algName = cmdUseHashArgon2
 		}
 	default:
-		algorithm = cmd.Use
+		algName = cmd.Use
 	}

-	if c, err = cmdCryptoHashGetConfig(algorithm, configs, cmd.Flags(), flagsMap); err != nil {
+	if c, err = cmdCryptoHashGetConfig(algName, configs, cmd.Flags(), flagsMap); err != nil {
 		return err
 	}

-	if legacy && algorithm == cmdUseHashArgon2 && cmd.Flags().Changed(cmdFlagNameMemory) {
+	if legacy && algName == cmdUseHashArgon2 && cmd.Flags().Changed(cmdFlagNameMemory) {
 		c.Argon2.Memory *= 1024
 	}

 	var (
-		hash     crypt.Hash
-		digest   crypt.Digest
+		hash     algorithm.Hash
+		digest   algorithm.Digest
 		password string
 		random   bool
 	)
--- a/internal/configuration/decode_hooks.go
+++ b/internal/configuration/decode_hooks.go
@ -12,7 +12,7 @@ import (
 	"strings"
 	"time"

-	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm/plaintext"
 	"github.com/mitchellh/mapstructure"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
@ -486,7 +486,7 @@ func StringToPrivateKeyHookFunc() mapstructure.DecodeHookFuncType {
 }

 // StringToPasswordDigestHookFunc decodes a string into a crypt.Digest.
-func StringToPasswordDigestHookFunc(plaintext bool) mapstructure.DecodeHookFuncType {
+func StringToPasswordDigestHookFunc() mapstructure.DecodeHookFuncType {
 	return func(f reflect.Type, t reflect.Type, data interface{}) (value interface{}, err error) {
 		var ptr bool

@ -514,11 +514,11 @@ func StringToPasswordDigestHookFunc(plaintext bool) mapstructure.DecodeHookFuncT
 		var result *schema.PasswordDigest

 		if !strings.HasPrefix(dataStr, "$") {
-			dataStr = fmt.Sprintf(crypt.StorageFormatSimple, crypt.AlgorithmPrefixPlainText, dataStr)
+			dataStr = fmt.Sprintf(plaintext.EncodingFmt, plaintext.AlgIdentifierPlainText, dataStr)
 		}

 		if dataStr != "" {
-			if result, err = schema.NewPasswordDigest(dataStr, plaintext); err != nil {
+			if result, err = schema.DecodePasswordDigest(dataStr); err != nil {
 				return nil, fmt.Errorf(errFmtDecodeHookCouldNotParse, dataStr, prefixType, expectedType.String(), err)
 			}
 		}
--- a/internal/configuration/provider.go
+++ b/internal/configuration/provider.go
@ -66,7 +66,7 @@ func unmarshal(ko *koanf.Koanf, val *schema.StructValidator, path string, o any)
 				StringToPrivateKeyHookFunc(),
 				StringToCryptoPrivateKeyHookFunc(),
 				StringToTLSVersionHookFunc(),
-				StringToPasswordDigestHookFunc(true),
+				StringToPasswordDigestHookFunc(),
 				ToTimeDurationHookFunc(),
 			),
 			Metadata:         nil,
--- a/internal/configuration/schema/types.go
+++ b/internal/configuration/schema/types.go
@ -16,6 +16,8 @@ import (
 	"time"

 	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
+	"github.com/go-crypt/crypt/algorithm/plaintext"
 )

 // NewAddressFromString returns an *Address and error depending on the ability to parse the string as an Address.
@ -110,27 +112,32 @@ func (a Address) Listener() (net.Listener, error) {
 	return net.Listen(a.Scheme, a.HostPort())
 }

-// NewPasswordDigest returns a new PasswordDigest.
-func NewPasswordDigest(value string, plaintext bool) (digest *PasswordDigest, err error) {
-	var d crypt.Digest
+var cdecoder algorithm.DecoderRegister

-	switch {
-	case plaintext:
-		d, err = crypt.DecodeWithPlainText(value)
-	default:
-		d, err = crypt.Decode(value)
+// DecodePasswordDigest returns a new PasswordDigest if it can be decoded.
+func DecodePasswordDigest(encodedDigest string) (digest *PasswordDigest, err error) {
+	if cdecoder == nil {
+		if cdecoder, err = crypt.NewDefaultDecoder(); err != nil {
+			return nil, fmt.Errorf("failed to initialize decoder: %w", err)
+		}
+
+		if err = plaintext.RegisterDecoderPlainText(cdecoder); err != nil {
+			return nil, fmt.Errorf("failed to initialize decoder: could not register the plaintext decoder: %w", err)
+		}
 	}

-	if err != nil {
+	var d algorithm.Digest
+
+	if d, err = cdecoder.Decode(encodedDigest); err != nil {
 		return nil, err
 	}

-	return &PasswordDigest{d}, err
+	return &PasswordDigest{Digest: d}, nil
 }

 // PasswordDigest is a configuration type for the crypt.Digest.
 type PasswordDigest struct {
-	crypt.Digest
+	algorithm.Digest
 }

 // NewX509CertificateChain creates a new *X509CertificateChain from a given string, parsing each PEM block one by one.
--- a/internal/configuration/validator/authentication.go
+++ b/internal/configuration/validator/authentication.go
@ -5,7 +5,11 @@ import (
 	"net/url"
 	"strings"

-	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm/argon2"
+	"github.com/go-crypt/crypt/algorithm/bcrypt"
+	"github.com/go-crypt/crypt/algorithm/pbkdf2"
+	"github.com/go-crypt/crypt/algorithm/scrypt"
+	"github.com/go-crypt/crypt/algorithm/shacrypt"

 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/utils"
@ -91,46 +95,48 @@ func validateFileAuthenticationBackendPasswordConfigArgon2(config *schema.Passwo
 	switch {
 	case config.Argon2.Iterations == 0:
 		config.Argon2.Iterations = schema.DefaultPasswordConfig.Argon2.Iterations
-	case config.Argon2.Iterations < crypt.Argon2IterationsMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "iterations", config.Argon2.Iterations, crypt.Argon2IterationsMin))
-	case config.Argon2.Iterations > crypt.Argon2IterationsMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "iterations", config.Argon2.Iterations, crypt.Argon2IterationsMax))
+	case config.Argon2.Iterations < argon2.IterationsMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "iterations", config.Argon2.Iterations, argon2.IterationsMin))
+	case config.Argon2.Iterations > argon2.IterationsMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "iterations", config.Argon2.Iterations, argon2.IterationsMax))
 	}

 	switch {
 	case config.Argon2.Parallelism == 0:
 		config.Argon2.Parallelism = schema.DefaultPasswordConfig.Argon2.Parallelism
-	case config.Argon2.Parallelism < crypt.Argon2ParallelismMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "parallelism", config.Argon2.Parallelism, crypt.Argon2ParallelismMin))
-	case config.Argon2.Parallelism > crypt.Argon2ParallelismMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "parallelism", config.Argon2.Parallelism, crypt.Argon2ParallelismMax))
+	case config.Argon2.Parallelism < argon2.ParallelismMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "parallelism", config.Argon2.Parallelism, argon2.ParallelismMin))
+	case config.Argon2.Parallelism > argon2.ParallelismMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "parallelism", config.Argon2.Parallelism, argon2.ParallelismMax))
 	}

 	switch {
 	case config.Argon2.Memory == 0:
 		config.Argon2.Memory = schema.DefaultPasswordConfig.Argon2.Memory
-	case config.Argon2.Memory < 0:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "memory", config.Argon2.Parallelism, 1))
-	case config.Argon2.Memory < (crypt.Argon2MemoryMinParallelismMultiplier * config.Argon2.Parallelism):
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordArgon2MemoryTooLow, config.Argon2.Memory, config.Argon2.Parallelism*crypt.Argon2MemoryMinParallelismMultiplier, config.Argon2.Parallelism, crypt.Argon2MemoryMinParallelismMultiplier))
+	case config.Argon2.Memory < argon2.MemoryMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "memory", config.Argon2.Memory, argon2.MemoryMin))
+	case uint64(config.Argon2.Memory) > uint64(argon2.MemoryMax):
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "memory", config.Argon2.Memory, argon2.MemoryMax))
+	case config.Argon2.Memory < (config.Argon2.Parallelism * argon2.MemoryMinParallelismMultiplier):
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordArgon2MemoryTooLow, config.Argon2.Memory, config.Argon2.Parallelism*argon2.MemoryMinParallelismMultiplier, config.Argon2.Parallelism, argon2.MemoryMinParallelismMultiplier))
 	}

 	switch {
 	case config.Argon2.KeyLength == 0:
 		config.Argon2.KeyLength = schema.DefaultPasswordConfig.Argon2.KeyLength
-	case config.Argon2.KeyLength < crypt.Argon2KeySizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "key_length", config.Argon2.KeyLength, crypt.Argon2KeySizeMin))
-	case config.Argon2.KeyLength > crypt.Argon2KeySizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "key_length", config.Argon2.KeyLength, crypt.Argon2KeySizeMax))
+	case config.Argon2.KeyLength < argon2.KeyLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "key_length", config.Argon2.KeyLength, argon2.KeyLengthMin))
+	case config.Argon2.KeyLength > argon2.KeyLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "key_length", config.Argon2.KeyLength, argon2.KeyLengthMax))
 	}

 	switch {
 	case config.Argon2.SaltLength == 0:
 		config.Argon2.SaltLength = schema.DefaultPasswordConfig.Argon2.SaltLength
-	case config.Argon2.SaltLength < crypt.Argon2SaltSizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "salt_length", config.Argon2.SaltLength, crypt.Argon2SaltSizeMin))
-	case config.Argon2.SaltLength > crypt.Argon2SaltSizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "salt_length", config.Argon2.SaltLength, crypt.Argon2SaltSizeMax))
+	case config.Argon2.SaltLength < argon2.SaltLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashArgon2, "salt_length", config.Argon2.SaltLength, argon2.SaltLengthMin))
+	case config.Argon2.SaltLength > argon2.SaltLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashArgon2, "salt_length", config.Argon2.SaltLength, argon2.SaltLengthMax))
 	}
 }

@ -147,19 +153,19 @@ func validateFileAuthenticationBackendPasswordConfigSHA2Crypt(config *schema.Pas
 	switch {
 	case config.SHA2Crypt.Iterations == 0:
 		config.SHA2Crypt.Iterations = schema.DefaultPasswordConfig.SHA2Crypt.Iterations
-	case config.SHA2Crypt.Iterations < crypt.SHA2CryptIterationsMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSHA2Crypt, "iterations", config.SHA2Crypt.Iterations, crypt.SHA2CryptIterationsMin))
-	case config.SHA2Crypt.Iterations > crypt.SHA2CryptIterationsMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSHA2Crypt, "iterations", config.SHA2Crypt.Iterations, crypt.SHA2CryptIterationsMax))
+	case config.SHA2Crypt.Iterations < shacrypt.IterationsMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSHA2Crypt, "iterations", config.SHA2Crypt.Iterations, shacrypt.IterationsMin))
+	case config.SHA2Crypt.Iterations > shacrypt.IterationsMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSHA2Crypt, "iterations", config.SHA2Crypt.Iterations, shacrypt.IterationsMax))
 	}

 	switch {
 	case config.SHA2Crypt.SaltLength == 0:
 		config.SHA2Crypt.SaltLength = schema.DefaultPasswordConfig.SHA2Crypt.SaltLength
-	case config.SHA2Crypt.SaltLength < crypt.SHA2CryptSaltSizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSHA2Crypt, "salt_length", config.SHA2Crypt.SaltLength, crypt.SHA2CryptSaltSizeMin))
-	case config.SHA2Crypt.SaltLength > crypt.SHA2CryptSaltSizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSHA2Crypt, "salt_length", config.SHA2Crypt.SaltLength, crypt.SHA2CryptSaltSizeMax))
+	case config.SHA2Crypt.SaltLength < shacrypt.SaltLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSHA2Crypt, "salt_length", config.SHA2Crypt.SaltLength, shacrypt.SaltLengthMin))
+	case config.SHA2Crypt.SaltLength > shacrypt.SaltLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSHA2Crypt, "salt_length", config.SHA2Crypt.SaltLength, shacrypt.SaltLengthMax))
 	}
 }

@ -176,19 +182,19 @@ func validateFileAuthenticationBackendPasswordConfigPBKDF2(config *schema.Passwo
 	switch {
 	case config.PBKDF2.Iterations == 0:
 		config.PBKDF2.Iterations = schema.DefaultPasswordConfig.PBKDF2.Iterations
-	case config.PBKDF2.Iterations < crypt.PBKDF2IterationsMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashPBKDF2, "iterations", config.PBKDF2.Iterations, crypt.PBKDF2IterationsMin))
-	case config.PBKDF2.Iterations > crypt.PBKDF2IterationsMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashPBKDF2, "iterations", config.PBKDF2.Iterations, crypt.PBKDF2IterationsMax))
+	case config.PBKDF2.Iterations < pbkdf2.IterationsMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashPBKDF2, "iterations", config.PBKDF2.Iterations, pbkdf2.IterationsMin))
+	case config.PBKDF2.Iterations > pbkdf2.IterationsMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashPBKDF2, "iterations", config.PBKDF2.Iterations, pbkdf2.IterationsMax))
 	}

 	switch {
 	case config.PBKDF2.SaltLength == 0:
 		config.PBKDF2.SaltLength = schema.DefaultPasswordConfig.PBKDF2.SaltLength
-	case config.PBKDF2.SaltLength < crypt.PBKDF2SaltSizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashPBKDF2, "salt_length", config.PBKDF2.SaltLength, crypt.PBKDF2SaltSizeMin))
-	case config.PBKDF2.SaltLength > crypt.PBKDF2SaltSizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashPBKDF2, "salt_length", config.PBKDF2.SaltLength, crypt.PBKDF2SaltSizeMax))
+	case config.PBKDF2.SaltLength < pbkdf2.SaltLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashPBKDF2, "salt_length", config.PBKDF2.SaltLength, pbkdf2.SaltLengthMin))
+	case config.PBKDF2.SaltLength > pbkdf2.SaltLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashPBKDF2, "salt_length", config.PBKDF2.SaltLength, pbkdf2.SaltLengthMax))
 	}
 }

@ -205,53 +211,58 @@ func validateFileAuthenticationBackendPasswordConfigBCrypt(config *schema.Passwo
 	switch {
 	case config.BCrypt.Cost == 0:
 		config.BCrypt.Cost = schema.DefaultPasswordConfig.BCrypt.Cost
-	case config.BCrypt.Cost < crypt.BcryptCostMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashBCrypt, "cost", config.BCrypt.Cost, crypt.BcryptCostMin))
-	case config.BCrypt.Cost > crypt.BcryptCostMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashBCrypt, "cost", config.BCrypt.Cost, crypt.BcryptCostMax))
+	case config.BCrypt.Cost < bcrypt.IterationsMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashBCrypt, "cost", config.BCrypt.Cost, bcrypt.IterationsMin))
+	case config.BCrypt.Cost > bcrypt.IterationsMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashBCrypt, "cost", config.BCrypt.Cost, bcrypt.IterationsMax))
 	}
 }

+//nolint:gocyclo
 func validateFileAuthenticationBackendPasswordConfigSCrypt(config *schema.Password, validator *schema.StructValidator) {
 	switch {
 	case config.SCrypt.Iterations == 0:
 		config.SCrypt.Iterations = schema.DefaultPasswordConfig.SCrypt.Iterations
-	case config.SCrypt.Iterations < crypt.ScryptIterationsMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "iterations", config.SCrypt.Iterations, crypt.ScryptIterationsMin))
+	case config.SCrypt.Iterations < scrypt.IterationsMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "iterations", config.SCrypt.Iterations, scrypt.IterationsMin))
+	case config.SCrypt.Iterations > scrypt.IterationsMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "iterations", config.SCrypt.Iterations, scrypt.IterationsMax))
 	}

 	switch {
 	case config.SCrypt.BlockSize == 0:
 		config.SCrypt.BlockSize = schema.DefaultPasswordConfig.SCrypt.BlockSize
-	case config.SCrypt.BlockSize < crypt.ScryptBlockSizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "block_size", config.SCrypt.BlockSize, crypt.ScryptBlockSizeMin))
-	case config.SCrypt.BlockSize > crypt.ScryptBlockSizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "block_size", config.SCrypt.BlockSize, crypt.ScryptBlockSizeMax))
+	case config.SCrypt.BlockSize < scrypt.BlockSizeMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "block_size", config.SCrypt.BlockSize, scrypt.BlockSizeMin))
+	case config.SCrypt.BlockSize > scrypt.BlockSizeMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "block_size", config.SCrypt.BlockSize, scrypt.BlockSizeMax))
 	}

 	switch {
 	case config.SCrypt.Parallelism == 0:
 		config.SCrypt.Parallelism = schema.DefaultPasswordConfig.SCrypt.Parallelism
-	case config.SCrypt.Parallelism < crypt.ScryptParallelismMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "parallelism", config.SCrypt.Parallelism, crypt.ScryptParallelismMin))
+	case config.SCrypt.Parallelism < scrypt.ParallelismMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "parallelism", config.SCrypt.Parallelism, scrypt.ParallelismMin))
+	case config.SCrypt.Parallelism > scrypt.ParallelismMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "parallelism", config.SCrypt.Parallelism, scrypt.ParallelismMax))
 	}

 	switch {
 	case config.SCrypt.KeyLength == 0:
 		config.SCrypt.KeyLength = schema.DefaultPasswordConfig.SCrypt.KeyLength
-	case config.SCrypt.KeyLength < crypt.ScryptKeySizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "key_length", config.SCrypt.KeyLength, crypt.ScryptKeySizeMin))
-	case config.SCrypt.KeyLength > crypt.ScryptKeySizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "key_length", config.SCrypt.KeyLength, crypt.ScryptKeySizeMax))
+	case config.SCrypt.KeyLength < scrypt.KeyLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "key_length", config.SCrypt.KeyLength, scrypt.KeyLengthMin))
+	case config.SCrypt.KeyLength > scrypt.KeyLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "key_length", config.SCrypt.KeyLength, scrypt.KeyLengthMax))
 	}

 	switch {
 	case config.SCrypt.SaltLength == 0:
 		config.SCrypt.SaltLength = schema.DefaultPasswordConfig.SCrypt.SaltLength
-	case config.SCrypt.SaltLength < crypt.ScryptSaltSizeMin:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "salt_length", config.SCrypt.SaltLength, crypt.ScryptSaltSizeMin))
-	case config.SCrypt.SaltLength > crypt.ScryptSaltSizeMax:
-		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "salt_length", config.SCrypt.SaltLength, crypt.ScryptSaltSizeMax))
+	case config.SCrypt.SaltLength < scrypt.SaltLengthMin:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooSmall, hashSCrypt, "salt_length", config.SCrypt.SaltLength, scrypt.SaltLengthMin))
+	case config.SCrypt.SaltLength > scrypt.SaltLengthMax:
+		validator.Push(fmt.Errorf(errFmtFileAuthBackendPasswordOptionTooLarge, hashSCrypt, "salt_length", config.SCrypt.SaltLength, scrypt.SaltLengthMax))
 	}
 }

--- a/internal/configuration/validator/authentication_test.go
+++ b/internal/configuration/validator/authentication_test.go
@ -409,18 +409,22 @@ func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptio
 }

 func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenSCryptOptionsTooHigh() {
+	suite.config.File.Password.SCrypt.Iterations = 59
 	suite.config.File.Password.SCrypt.BlockSize = 360287970189639672
+	suite.config.File.Password.SCrypt.Parallelism = 1073741825
 	suite.config.File.Password.SCrypt.KeyLength = 1374389534409
 	suite.config.File.Password.SCrypt.SaltLength = 2147483647

 	ValidateAuthenticationBackend(&suite.config, suite.validator)

 	suite.Assert().Len(suite.validator.Warnings(), 0)
-	suite.Require().Len(suite.validator.Errors(), 3)
+	suite.Require().Len(suite.validator.Errors(), 5)

-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '360287970189639672' but must be less than or equal to '36028797018963967'")
-	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '1374389534409' but must be less than or equal to '137438953440'")
-	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '2147483647' but must be less than or equal to '1024'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: scrypt: option 'iterations' is configured as '59' but must be less than or equal to '58'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: scrypt: option 'block_size' is configured as '360287970189639672' but must be less than or equal to '36028797018963967'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: scrypt: option 'parallelism' is configured as '1073741825' but must be less than or equal to '1073741823'")
+	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: scrypt: option 'key_length' is configured as '1374389534409' but must be less than or equal to '137438953440'")
+	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: scrypt: option 'salt_length' is configured as '2147483647' but must be less than or equal to '1024'")
 }

 func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooLow() {
@ -437,13 +441,14 @@ func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2Optio

 	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '-1' but must be greater than or equal to '1'")
 	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '-1' but must be greater than or equal to '1'")
-	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '-1' but must be greater than or equal to '1'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '-1' but must be greater than or equal to '8'")
 	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '1' but must be greater than or equal to '4'")
 	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '-1' but must be greater than or equal to '1'")
 }

 func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2OptionsTooHigh() {
 	suite.config.File.Password.Argon2.Iterations = 9999999999
+	suite.config.File.Password.Argon2.Memory = 4294967296
 	suite.config.File.Password.Argon2.Parallelism = 16777216
 	suite.config.File.Password.Argon2.KeyLength = 9999999998
 	suite.config.File.Password.Argon2.SaltLength = 9999999997
@ -455,6 +460,7 @@ func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2Optio

 	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'iterations' is configured as '9999999999' but must be less than or equal to '2147483647'")
 	suite.Assert().EqualError(suite.validator.Errors()[1], "authentication_backend: file: password: argon2: option 'parallelism' is configured as '16777216' but must be less than or equal to '16777215'")
+	suite.Assert().EqualError(suite.validator.Errors()[2], "authentication_backend: file: password: argon2: option 'memory' is configured as '4294967296' but must be less than or equal to '4294967295'")
 	suite.Assert().EqualError(suite.validator.Errors()[3], "authentication_backend: file: password: argon2: option 'key_length' is configured as '9999999998' but must be less than or equal to '2147483647'")
 	suite.Assert().EqualError(suite.validator.Errors()[4], "authentication_backend: file: password: argon2: option 'salt_length' is configured as '9999999997' but must be less than or equal to '2147483647'")
 }
@ -468,7 +474,19 @@ func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2Memor
 	suite.Assert().Len(suite.validator.Warnings(), 0)
 	suite.Require().Len(suite.validator.Errors(), 1)

-	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '4' but must be greater than or equal to '32' or '4' (the value of 'parallelism) multiplied by '8'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '4' but must be greater than or equal to '8'")
+}
+
+func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenArgon2MemoryTooLowMultiplier() {
+	suite.config.File.Password.Argon2.Memory = 8
+	suite.config.File.Password.Argon2.Parallelism = 4
+
+	ValidateAuthenticationBackend(&suite.config, suite.validator)
+
+	suite.Assert().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "authentication_backend: file: password: argon2: option 'memory' is configured as '8' but must be greater than or equal to '32' or '4' (the value of 'parallelism) multiplied by '8'")
 }

 func (suite *FileBasedAuthenticationBackend) TestShouldRaiseErrorWhenBadAlgorithmDefined() {
--- a/internal/configuration/validator/identity_providers_test.go
+++ b/internal/configuration/validator/identity_providers_test.go
@ -838,7 +838,7 @@ func TestValidateOIDCClientRedirectURIsSupportingPrivateUseURISchemes(t *testing
 }

 func MustDecodeSecret(value string) *schema.PasswordDigest {
-	if secret, err := schema.NewPasswordDigest(value, true); err != nil {
+	if secret, err := schema.DecodePasswordDigest(value); err != nil {
 		panic(err)
 	} else {
 		return secret
--- a/internal/oidc/client_test.go
+++ b/internal/oidc/client_test.go
@ -227,7 +227,7 @@ func TestClient_IsPublic(t *testing.T) {
 }

 func MustDecodeSecret(value string) *schema.PasswordDigest {
-	if secret, err := schema.NewPasswordDigest(value, true); err != nil {
+	if secret, err := schema.DecodePasswordDigest(value); err != nil {
 		panic(err)
 	} else {
 		return secret
--- a/internal/oidc/config.go
+++ b/internal/oidc/config.go
@ -66,6 +66,7 @@ type Config struct {
 	JWTScopeField  jwt.JWTScopeFieldEnum
 	JWTMaxDuration time.Duration

+	Hasher               *AdaptiveHasher
 	Hash                 HashConfig
 	Strategy             StrategyConfig
 	PAR                  PARConfig
@ -513,7 +514,7 @@ func (c *Config) GetTokenURL(ctx context.Context) (tokenURL string) {
 // GetSecretsHasher returns the client secrets hashing function.
 func (c *Config) GetSecretsHasher(ctx context.Context) (hasher fosite.Hasher) {
 	if c.Hash.ClientSecrets == nil {
-		c.Hash.ClientSecrets = &AdaptiveHasher{}
+		c.Hash.ClientSecrets, _ = NewAdaptiveHasher()
 	}

 	return c.Hash.ClientSecrets
--- a/internal/oidc/hasher.go
+++ b/internal/oidc/hasher.go
@ -4,13 +4,34 @@ import (
 	"context"

 	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
+	"github.com/go-crypt/crypt/algorithm/plaintext"
 )

-// Compare compares the hash with the data and returns an error if they don't match.
-func (h AdaptiveHasher) Compare(_ context.Context, hash, data []byte) (err error) {
-	var digest crypt.Digest
+func NewAdaptiveHasher() (hasher *AdaptiveHasher, err error) {
+	hasher = &AdaptiveHasher{}

-	if digest, err = crypt.DecodeWithPlainText(string(hash)); err != nil {
+	if hasher.decoder, err = crypt.NewDefaultDecoder(); err != nil {
+		return nil, err
+	}
+
+	if err = plaintext.RegisterDecoderPlainText(hasher.decoder); err != nil {
+		return nil, err
+	}
+
+	return hasher, nil
+}
+
+// AdaptiveHasher implements the fosite.Hasher interface without an actual hashing algo.
+type AdaptiveHasher struct {
+	decoder algorithm.DecoderRegister
+}
+
+// Compare compares the hash with the data and returns an error if they don't match.
+func (h *AdaptiveHasher) Compare(_ context.Context, hash, data []byte) (err error) {
+	var digest algorithm.Digest
+
+	if digest, err = h.decoder.Decode(string(hash)); err != nil {
 		return err
 	}

@ -22,6 +43,6 @@ func (h AdaptiveHasher) Compare(_ context.Context, hash, data []byte) (err error
 }

 // Hash creates a new hash from data.
-func (h AdaptiveHasher) Hash(_ context.Context, data []byte) (hash []byte, err error) {
+func (h *AdaptiveHasher) Hash(_ context.Context, data []byte) (hash []byte, err error) {
 	return data, nil
 }
--- a/internal/oidc/hasher_test.go
+++ b/internal/oidc/hasher_test.go
@ -5,32 +5,46 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )

 func TestShouldNotRaiseErrorOnEqualPasswordsPlainText(t *testing.T) {
-	hasher := AdaptiveHasher{}
+	hasher, err := NewAdaptiveHasher()
+
+	require.NoError(t, err)

 	a := []byte("$plaintext$abc")
 	b := []byte("abc")

 	ctx := context.Background()

-	err := hasher.Compare(ctx, a, b)
+	assert.NoError(t, hasher.Compare(ctx, a, b))
+}

-	assert.NoError(t, err)
+func TestShouldNotRaiseErrorOnEqualPasswordsPlainTextWithSeparator(t *testing.T) {
+	hasher, err := NewAdaptiveHasher()
+
+	require.NoError(t, err)
+
+	a := []byte("$plaintext$abc$123")
+	b := []byte("abc$123")
+
+	ctx := context.Background()
+
+	assert.NoError(t, hasher.Compare(ctx, a, b))
 }

 func TestShouldRaiseErrorOnNonEqualPasswordsPlainText(t *testing.T) {
-	hasher := AdaptiveHasher{}
+	hasher, err := NewAdaptiveHasher()
+
+	require.NoError(t, err)

 	a := []byte("$plaintext$abc")
 	b := []byte("abcd")

 	ctx := context.Background()

-	err := hasher.Compare(ctx, a, b)
-
-	assert.Equal(t, errPasswordsDoNotMatch, err)
+	assert.Equal(t, errPasswordsDoNotMatch, hasher.Compare(ctx, a, b))
 }

 func TestShouldHashPassword(t *testing.T) {
--- a/internal/oidc/types.go
+++ b/internal/oidc/types.go
@ -4,7 +4,7 @@ import (
 	"net/url"
 	"time"

-	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/handler/openid"
 	"github.com/ory/fosite/token/jwt"
@ -103,7 +103,7 @@ type Store struct {
 type Client struct {
 	ID               string
 	Description      string
-	Secret           crypt.Digest
+	Secret           algorithm.Digest
 	SectorIdentifier string
 	Public           bool

@ -184,9 +184,6 @@ type KeyManager struct {
 	jwks *jose.JSONWebKeySet
 }

-// AdaptiveHasher implements the fosite.Hasher interface without an actual hashing algo.
-type AdaptiveHasher struct{}
-
 // ConsentGetResponseBody schema of the response body of the consent GET endpoint.
 type ConsentGetResponseBody struct {
 	ClientID          string   `json:"client_id"`