Problem: 1) We cannot force our users to select strong passwords such as 64 byte hexadecimal strings. 2) Not everyone is content to use unsalted sha256 hashing. 3) Because machines grow more powerful and attacks grow more sophisticated, we can expect to eventually need newer and stronger algorithms.
New Feature: A module API that will allow the password hashing algorithm to be replaced by passing a set of function pointers. It should take full advantage of the existing ACL and should not require defining new commands such as HELLOACL.AUTH. Changing the hashing algorithm should be transparent to the client.
Alternatives:
Looked at RedisModule_AuthenticateClientWithACLUser and related functions. Normally these don't get called until after the existing hashing algorithm is used at https://github.com/redis/redis/blob/9cb9f98d2f0d9114ac4528b2f9434a2fd2edfd60/src/acl.c#L1125
Looked at adding a new command such as HELLOACL.AUTH. This would require that clients change their method of authenticating.
Looked at renaming the AUTH command so that it could be intercepted by a new implementation in a module. This would force the implementer to deal with issues that are unrelated to the hashing algorithm, such as checking the DISABLED and NOPASS flags. https://github.com/RedisLabsModules/pam_auth/blob/master/pam_auth.c overrides the AUTH command and we can see that it becomes responsible for generating appropriate responses to the client.
Comment From: madolson
Looks like a duplicate of https://github.com/redis/redis/issues/8329.