From another issue, it appears that GitLab uses `bcrypt` for hashing passwords. This appears to be generally strong, however it appears it is not in the list of FIPS approved algorithms: https://www.elastic.co/blog/configuring-elasticsearch-in-a-fips-140-2-environment While others should validate this, the logic seems to be: 1. 140-2 does not include password hashing algorithms 1. bcrypt uses blowfish, which is not validated, therefore not FIPS 140-2 approved 1. You can use PBKDF2, which supports a variety of hashes, such as SHA-2 which is approved ## Proposal 1. introduce a DB new column to store encryptor type (currently `brcypt`) 2. during successful login: - if encryptor type is `bcrypt`, update the password to store as `SHA512` 3. after a transitional period, force password resets for users still having `bcrypt` password