From 752f9d1229788c4bdff31a4df8477fea6bde2e29 Mon Sep 17 00:00:00 2001
From: Asim <Ahmad.Asim@tib.eu>
Date: Wed, 9 May 2018 13:51:11 +0200
Subject: [PATCH] Fixed the tests

---
 api/pom.xml                                   |   5 +
 .../webapp/auth/policy/PolicyHelper.java      |   2 +-
 .../webapp/auth/policy/RootUserPolicy.java    |   6 +-
 .../vitro/webapp/beans/UserAccount.java       |  12 +-
 .../accounts/UserAccountsSelector.java        |   1 +
 .../admin/UserAccountsAddPageStrategy.java    |   4 +-
 .../admin/UserAccountsEditPageStrategy.java   |   3 +-
 .../user/UserAccountsCreatePasswordPage.java  |   4 +-
 .../UserAccountsMyAccountPageStrategy.java    |   4 +-
 .../user/UserAccountsResetPasswordPage.java   |   3 +-
 .../controller/api/VitroApiServlet.java       |   2 +-
 .../authenticate/AdminLoginController.java    |  22 +++-
 .../authenticate/Authenticator.java           | 107 ++++++++++++++++--
 .../authenticate/BasicAuthenticator.java      |  27 ++++-
 .../controller/authenticate/ProgramLogin.java |  16 ++-
 .../authenticate/RestrictedAuthenticator.java |  23 ++++
 .../webapp/controller/edit/Authenticate.java  |  24 +++-
 .../vitro/webapp/dao/VitroVocabulary.java     |   1 +
 .../vitro/webapp/dao/jena/JenaBaseDaoCon.java |   1 +
 .../webapp/dao/jena/UserAccountsDaoJena.java  |   5 +
 .../authenticate/AuthenticatorStub.java       |  26 +++++
 .../authenticate/ProgramLoginTest.java        |   7 +-
 .../controller/edit/AuthenticateTest.java     |   4 +-
 .../dao/jena/UserAccountsDaoJenaTest.java     |  21 ++--
 .../config/example.runtime.properties         |   2 +-
 .../webapp/config/example.runtime.properties  |  15 +++
 26 files changed, 302 insertions(+), 45 deletions(-)

diff --git a/api/pom.xml b/api/pom.xml
index 6026424bd..28d9d6fe8 100644
--- a/api/pom.xml
+++ b/api/pom.xml
@@ -53,6 +53,11 @@
     </build>
 
     <dependencies>
+        <dependency>
+            <groupId>de.mkammerer</groupId>
+            <artifactId>argon2-jvm</artifactId>
+            <version>2.4</version>
+        </dependency>
         <dependency>
             <groupId>org.vivoweb</groupId>
             <artifactId>vitro-dependencies</artifactId>
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
index f06ab9634..194997f9f 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java
@@ -102,7 +102,7 @@ public class PolicyHelper {
 			String uri = user.getUri();
 			log.debug("userAccount is '" + uri + "'");
 
-			if (!auth.isCurrentPassword(user, password)) {
+			if (!auth.isCurrentPasswordArgon2(user, password)) {
 				log.debug(String.format("UNAUTHORIZED, password not accepted "
 						+ "for %s, account URI: %s", email, uri));
 				return false;
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
index d432ca66c..b18022657 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/policy/RootUserPolicy.java
@@ -67,6 +67,7 @@ public class RootUserPolicy implements PolicyIface {
 		private ServletContext ctx;
 		private StartupStatus ss;
 		private UserAccountsDao uaDao;
+		private ConfigurationProperties cp;
 		private String configuredRootUser;
 		private boolean configuredRootUserExists;
 		private TreeSet<String> otherRootUsers;
@@ -75,6 +76,7 @@ public class RootUserPolicy implements PolicyIface {
 		public void contextInitialized(ServletContextEvent sce) {
 			ctx = sce.getServletContext();
 			ss = StartupStatus.getBean(ctx);
+			cp = ConfigurationProperties.getBean(ctx);
 
 			try {
 				uaDao = ModelAccess.on(ctx).getWebappDaoFactory()
@@ -148,8 +150,8 @@ public class RootUserPolicy implements PolicyIface {
 			ua.setEmailAddress(configuredRootUser);
 			ua.setFirstName("root");
 			ua.setLastName("user");
-			ua.setMd5Password(Authenticator
-					.applyMd5Encoding(ROOT_USER_INITIAL_PASSWORD));
+			ua.setArgon2Password(Authenticator.applyArgon2iEncoding(cp,ROOT_USER_INITIAL_PASSWORD));
+			ua.setMd5Password("");
 			ua.setPasswordChangeRequired(true);
 			ua.setStatus(Status.ACTIVE);
 			ua.setRootUser(true);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/UserAccount.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/UserAccount.java
index ec3f0bb12..0bbe08fa2 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/UserAccount.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/beans/UserAccount.java
@@ -48,6 +48,7 @@ public class UserAccount {
 	private String firstName = ""; // Never null.
 	private String lastName = ""; // Never null.
 
+	private String argon2Password = ""; //Never null.
 	private String md5Password = ""; // Never null.
 	private String oldPassword = ""; // Never null.
 	private long passwordLinkExpires = 0L; // Never negative.
@@ -104,6 +105,14 @@ public class UserAccount {
 		this.lastName = nonNull(lastName, "");
 	}
 
+	public String getArgon2Password() {
+		return argon2Password;
+	}
+
+	public void setArgon2Password(String argo2Password) {
+		this.argon2Password = nonNull(argo2Password, "");
+	}
+
 	public String getMd5Password() {
 		return md5Password;
 	}
@@ -125,8 +134,9 @@ public class UserAccount {
 	}
 
 	public String getPasswordLinkExpiresHash() {
-		return limitStringLength(8, Authenticator.applyMd5Encoding(String
+		return limitStringLength(8, Authenticator.applyArgon2iEncoding(String
 				.valueOf(passwordLinkExpires)));
+		//applyMd5Encoding
 	}
 
 	public void setPasswordLinkExpires(long passwordLinkExpires) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/UserAccountsSelector.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/UserAccountsSelector.java
index b809f768e..e2ac96c16 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/UserAccountsSelector.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/UserAccountsSelector.java
@@ -246,6 +246,7 @@ public class UserAccountsSelector {
 			user.setFirstName(ifLiteralPresent(solution, "firstName", ""));
 			user.setLastName(ifLiteralPresent(solution, "lastName", ""));
 			user.setMd5Password(ifLiteralPresent(solution, "pwd", ""));
+			user.setArgon2Password(ifLiteralPresent(solution, "pwd", ""));
 			user.setPasswordLinkExpires(ifLongPresent(solution, "expire", 0L));
 			user.setLoginCount(ifIntPresent(solution, "count", 0));
 			user.setLastLoginTime(ifLongPresent(solution, "lastLogin", 0));
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
index 4bed0fa55..307ccf9f6 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsAddPageStrategy.java
@@ -198,8 +198,8 @@ public abstract class UserAccountsAddPageStrategy extends UserAccountsPage {
 		@Override
 		protected void setAdditionalProperties(UserAccount u) {
 			if (!page.isExternalAuthOnly()) {
-				u.setMd5Password(Authenticator
-						.applyMd5Encoding(initialPassword));
+				u.setArgon2Password(Authenticator.applyArgon2iEncoding(initialPassword));
+				u.setMd5Password("");
 				u.setPasswordChangeRequired(true);
 			}
 			u.setStatus(Status.ACTIVE);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPageStrategy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPageStrategy.java
index 974e71b49..708f11e66 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPageStrategy.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/admin/UserAccountsEditPageStrategy.java
@@ -194,7 +194,8 @@ public abstract class UserAccountsEditPageStrategy extends UserAccountsPage {
 		@Override
 		protected void setAdditionalProperties(UserAccount u) {
 			if (!page.isExternalAuthOnly() && !newPassword.isEmpty()) {
-				u.setMd5Password(Authenticator.applyMd5Encoding(newPassword));
+				u.setArgon2Password(Authenticator.applyArgon2iEncoding(newPassword));
+				u.setMd5Password("");
 				u.setPasswordChangeRequired(true);
 			}
 		}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsCreatePasswordPage.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsCreatePasswordPage.java
index 8aec68112..b9515d4c7 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsCreatePasswordPage.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsCreatePasswordPage.java
@@ -33,14 +33,14 @@ public class UserAccountsCreatePasswordPage extends
 	}
 
 	public void createPassword() {
-		userAccount.setMd5Password(Authenticator.applyMd5Encoding(newPassword));
+		userAccount.setArgon2Password(Authenticator.applyArgon2iEncoding(newPassword));
+		userAccount.setMd5Password("");
 		userAccount.setPasswordLinkExpires(0L);
 		userAccount.setPasswordChangeRequired(false);
 		userAccount.setStatus(Status.ACTIVE);
 		userAccountsDao.updateUserAccount(userAccount);
 		log.debug("Set password on '" + userAccount.getEmailAddress()
 				+ "' to '" + newPassword + "'");
-
 		notifyUser();
 	}
 
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPageStrategy.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPageStrategy.java
index d7247a614..057098eea 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPageStrategy.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsMyAccountPageStrategy.java
@@ -155,8 +155,8 @@ public abstract class UserAccountsMyAccountPageStrategy extends
 		@Override
 		public void setAdditionalProperties(UserAccount userAccount) {
 			if (!newPassword.isEmpty() && !page.isExternalAuthOnly()) {
-				userAccount.setMd5Password(Authenticator
-						.applyMd5Encoding(newPassword));
+				userAccount.setArgon2Password(Authenticator.applyArgon2iEncoding(newPassword));
+				userAccount.setMd5Password("");
 				userAccount.setPasswordChangeRequired(false);
 				userAccount.setPasswordLinkExpires(0L);
 			}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsResetPasswordPage.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsResetPasswordPage.java
index d09f2bced..712df1b40 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsResetPasswordPage.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/accounts/user/UserAccountsResetPasswordPage.java
@@ -33,7 +33,8 @@ public class UserAccountsResetPasswordPage extends UserAccountsPasswordBasePage
 	}
 
 	public void resetPassword() {
-		userAccount.setMd5Password(Authenticator.applyMd5Encoding(newPassword));
+		userAccount.setArgon2Password(Authenticator.applyArgon2iEncoding(newPassword));
+		userAccount.setMd5Password("");
 		userAccount.setPasswordLinkExpires(0L);
 		userAccount.setPasswordChangeRequired(false);
 		userAccount.setStatus(Status.ACTIVE);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
index 5105eeb0f..65553f2f1 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
@@ -54,7 +54,7 @@ public class VitroApiServlet extends HttpServlet {
 					+ "last names and a valid email address.");
 		}
 
-		if (!auth.isCurrentPassword(account, password)) {
+		if (!auth.isCurrentPasswordArgon2(account, password)) {
 			log.debug("Invalid: '" + email + "'/'" + password + "'");
 			throw new AuthException("email/password combination is not valid");
 		}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
index d7efcd82a..041a6deb3 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AdminLoginController.java
@@ -141,8 +141,12 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 		}
 
 		private boolean newPasswordRequired() {
-			return auth.isCurrentPassword(userAccount, password)
-					&& (userAccount.isPasswordChangeRequired());
+			if(auth.md5HashIsNull(userAccount)) {
+				return auth.isCurrentPasswordArgon2(userAccount, password)
+						&& userAccount.isPasswordChangeRequired();
+			}
+			else
+				return auth.isCurrentPassword(userAccount, password);  // MD5 password should be changed anyway
 		}
 
 		private boolean isPasswordValidLength(String pw) {
@@ -151,8 +155,18 @@ public class AdminLoginController extends FreemarkerHttpServlet {
 		}
 
 		private boolean tryToLogin() {
-			if (!auth.isCurrentPassword(userAccount, password)) {
-				return false;
+			if(auth.md5HashIsNull(userAccount)) {
+				if (!auth.isCurrentPasswordArgon2(userAccount, password))
+					return false;
+			}
+			else {
+				if (!auth.isCurrentPassword(userAccount, password))
+					return false;
+				else {
+					userAccount.setPasswordChangeRequired(true);
+					userAccount.setMd5Password("");
+
+				}
 			}
 
 			try {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
index 76bc3bc20..1b9e891ae 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/Authenticator.java
@@ -2,21 +2,23 @@
 
 package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.util.List;
+import de.mkammerer.argon2.Argon2;
+import de.mkammerer.argon2.Argon2Factory;
+import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
+import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
+import org.apache.commons.codec.binary.Hex;
 
 import javax.mail.internet.AddressException;
 import javax.mail.internet.InternetAddress;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
 
-import org.apache.commons.codec.binary.Hex;
-
-import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
-import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
-import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 
 /**
  * The tool that a login process will use to interface with the user records in
@@ -55,14 +57,16 @@ public abstract class Authenticator {
 	 * 
 	 * If there is no factory, configure a Basic one.
 	 */
+	private static ConfigurationProperties cp;
 	public static Authenticator getInstance(HttpServletRequest request) {
-		ServletContext ctx = request.getSession().getServletContext();
+		 ServletContext ctx = request.getSession().getServletContext();
 		Object attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME);
 		if (!(attribute instanceof AuthenticatorFactory)) {
 			setAuthenticatorFactory(new BasicAuthenticator.Factory(), ctx);
 			attribute = ctx.getAttribute(FACTORY_ATTRIBUTE_NAME);
 		}
 		AuthenticatorFactory factory = (AuthenticatorFactory) attribute;
+		cp = ConfigurationProperties.getBean(ctx);
 
 		return factory.getInstance(request);
 	}
@@ -112,6 +116,17 @@ public abstract class Authenticator {
 	public abstract boolean isCurrentPassword(UserAccount userAccount,
 			String clearTextPassword);
 
+
+	public abstract boolean isCurrentPasswordArgon2(UserAccount userAccount,
+											  String clearTextPassword);
+
+
+	/**
+	 *
+	 * Checks if the user still has got an MD5 Password
+	 */
+	public abstract boolean md5HashIsNull(UserAccount userAccount);
+
 	/**
 	 * Internal: record a new password for the user. Takes no action if the
 	 * userAccount is null.
@@ -180,6 +195,78 @@ public abstract class Authenticator {
 		}
 	}
 
+    /**
+     * Applies Argon2i hashing on a string.
+     * Used by tests only with pre-specified values because the configuration
+     * properties (runtime.properties) is not set at compile time.
+    **/
+
+	public static String applyArgon2iEncodingStub(String raw) {
+		Argon2 argon2 = Argon2Factory.create();
+		try {
+				return argon2.hash(200, 500, 1, raw);
+			} catch (Exception e) {
+			// This can't happen with a normal Java runtime.
+			throw new RuntimeException(e);
+		}
+	}
+
+    /**
+     * Applies Argon2i hashing on a string. Obtains the argon2i parameters
+     * from the configuration properties specified in the runtime.properties
+     * through this class "Authenticator".
+     **/
+
+	public static String applyArgon2iEncoding(String raw) {
+		Argon2 argon2 = Argon2Factory.create();
+		try {
+                if(cp.getProperty("argon2.time") != null && cp.getProperty("argon2.memory") !=null && cp.getProperty("argon2.parallelism")!=null)
+			return argon2.hash(Integer.parseInt(cp.getProperty("argon2.time")),
+					Integer.parseInt(cp.getProperty("argon2.memory")),
+					Integer.parseInt(cp.getProperty("argon2.parallelism")), raw);
+                else
+                    throw new RuntimeException("Parameters \"argon2.time\", \"argon2.memory\" and \"argon2.parallelism\" are either missing in the \"runtime.properties\" file or are not defined correctly");
+		} catch (Exception e) {
+			// This can't happen with a normal Java runtime.
+			throw new RuntimeException(e);
+		}
+	}
+
+
+
+    /**
+     * Applies Argon2i hashing on a string.
+     * When Vivo/Vitro is run for the first time the application needs to set
+     * the "root" account before a call is made to this class (Authenticator).
+     * In that case the configuration properties are passed along with the
+     * password string to this method.
+     **/
+
+	public static String applyArgon2iEncoding(ConfigurationProperties configProp, String raw) {
+		Argon2 argon2 = Argon2Factory.create();
+		try {
+			if(configProp.getProperty("argon2.time") != null && configProp.getProperty("argon2.memory") !=null && configProp.getProperty("argon2.parallelism")!=null)
+				return argon2.hash(Integer.parseInt(configProp.getProperty("argon2.time")),
+						Integer.parseInt(configProp.getProperty("argon2.memory")),
+						Integer.parseInt(configProp.getProperty("argon2.parallelism")), raw);
+			else
+				throw new RuntimeException("Parameters \"argon2.time\", \"argon2.memory\" and \"argon2.parallelism\" are either missing in the \"runtime.properties\" file or are not defined correctly");
+		} catch (Exception e) {
+			// This can't happen with a normal Java runtime.
+			throw new RuntimeException(e);
+		}
+	}
+
+    /**
+     Verifies the string against the Argon2i hash stored for a user account
+     */
+
+	public static boolean verifyArgon2iHash(String hash, String raw)
+	{
+		Argon2 argon2 = Argon2Factory.create();
+		return argon2.verify(hash, raw);
+	}
+
 	/**
 	 * Check whether the form of the emailAddress is syntactically correct. Does
 	 * not allow multiple addresses. Does not allow local addresses (without a
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
index 2c9af1367..fc216dd2e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/BasicAuthenticator.java
@@ -98,6 +98,30 @@ public class BasicAuthenticator extends Authenticator {
 		return encodedPassword.equals(userAccount.getMd5Password());
 	}
 
+	@Override
+	public boolean md5HashIsNull(UserAccount userAccount){
+		if(userAccount.getMd5Password().compareTo("")==0 || userAccount.getMd5Password()==null)
+			return  true;
+		else
+			return false;
+	}
+
+
+	@Override
+	public boolean isCurrentPasswordArgon2(UserAccount userAccount,
+									 String clearTextPassword) {
+		if (userAccount == null) {
+			return false;
+		}
+		if (clearTextPassword == null) {
+			return false;
+		}
+
+		return verifyArgon2iHash(userAccount.getArgon2Password(),clearTextPassword);
+	}
+
+
+
 	@Override
 	public void recordNewPassword(UserAccount userAccount,
 			String newClearTextPassword) {
@@ -105,7 +129,8 @@ public class BasicAuthenticator extends Authenticator {
 			log.error("Trying to change password on null user.");
 			return;
 		}
-		userAccount.setMd5Password(applyMd5Encoding(newClearTextPassword));
+		userAccount.setArgon2Password((applyArgon2iEncoding(newClearTextPassword)));
+		userAccount.setMd5Password("");
 		userAccount.setPasswordChangeRequired(false);
 		userAccount.setPasswordLinkExpires(0L);
 		getUserAccountsDao().updateUserAccount(userAccount);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
index d6f1c15d4..acf33ae1e 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLogin.java
@@ -5,6 +5,7 @@ package edu.cornell.mannlib.vitro.webapp.controller.authenticate;
 import static edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource.INTERNAL;
 import static edu.cornell.mannlib.vitro.webapp.beans.UserAccount.MAX_PASSWORD_LENGTH;
 import static edu.cornell.mannlib.vitro.webapp.beans.UserAccount.MIN_PASSWORD_LENGTH;
+import static edu.cornell.mannlib.vitro.webapp.controller.login.LoginProcessBean.MLevel.ERROR;
 
 import java.io.IOException;
 import java.io.PrintWriter;
@@ -158,7 +159,20 @@ public class ProgramLogin extends HttpServlet {
 		}
 
 		private boolean usernameAndPasswordAreValid() {
-			return auth.isCurrentPassword(userAccount, password);
+
+			if(auth.md5HashIsNull(userAccount)) {
+				if (!auth.isCurrentPasswordArgon2(userAccount, password))
+					return false;
+			}
+			else {
+				if (!auth.isCurrentPassword(userAccount, password))
+					return false;
+				else {
+					userAccount.setPasswordChangeRequired(true);
+				//	userAccount.setMd5Password("");
+				}
+			}
+			return true;
 		}
 
 		private boolean loginDisabled() {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
index 1443e4250..1a33c1647 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/RestrictedAuthenticator.java
@@ -76,6 +76,29 @@ public class RestrictedAuthenticator extends Authenticator {
 		return auth.getAccountForInternalAuth(emailAddress);
 	}
 
+	@Override
+	public boolean md5HashIsNull(UserAccount userAccount){
+		if(userAccount.getMd5Password().compareTo("")==0 || userAccount.getMd5Password()==null)
+			return  true;
+		else
+			return false;
+	}
+
+
+	@Override
+	public boolean isCurrentPasswordArgon2(UserAccount userAccount,
+										   String clearTextPassword) {
+		if (userAccount == null) {
+			return false;
+		}
+		if (clearTextPassword == null) {
+			return false;
+		}
+
+		return verifyArgon2iHash(userAccount.getArgon2Password(),clearTextPassword);
+	}
+
+
 	@Override
 	public boolean isCurrentPassword(UserAccount userAccount,
 			String clearTextPassword) {
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
index c1752f327..6c957e070 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/controller/edit/Authenticate.java
@@ -331,15 +331,31 @@ public class Authenticate extends VitroHttpServlet {
 			return;
 		}
 
+
 		if (!getAuthenticator(request).isUserPermittedToLogin(user)) {
 			bean.setMessage(request, ERROR, "logins_disabled_for_maintenance");
 			return;
 		}
 
-		if (!getAuthenticator(request).isCurrentPassword(user, password)) {
-			bean.setMessage(request, ERROR, "error_incorrect_credentials");
-			return;
+
+		if(getAuthenticator(request).md5HashIsNull(user)) {
+			if (!getAuthenticator(request).isCurrentPasswordArgon2(user, password)) {
+				bean.setMessage(request, ERROR, "error_incorrect_credentials");
+				return;
+			}
 		}
+		else {
+				if (!getAuthenticator(request).isCurrentPassword(user, password)) {
+					bean.setMessage(request, ERROR, "error_incorrect_credentials");
+					return;
+				}
+				else {
+					 user.setPasswordChangeRequired(true);
+					 user.setMd5Password("");
+				}
+			}
+
+
 
 		// Username and password are correct. What next?
 		if (user.isPasswordChangeRequired()) {
@@ -401,7 +417,7 @@ public class Authenticate extends VitroHttpServlet {
 
 		UserAccount user = getAuthenticator(request).getAccountForInternalAuth(
 				username);
-		if (getAuthenticator(request).isCurrentPassword(user, newPassword)) {
+		if (getAuthenticator(request).isCurrentPasswordArgon2(user, newPassword)) {
 			bean.setMessage(request, ERROR, "error_previous_password");
 			return;
 		}
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
index 9c85c80bd..2cf3e4bfe 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/VitroVocabulary.java
@@ -149,6 +149,7 @@ public class VitroVocabulary {
     public static final String USERACCOUNT_EMAIL_ADDRESS = VITRO_AUTH + "emailAddress";
     public static final String USERACCOUNT_FIRST_NAME = VITRO_AUTH + "firstName";
     public static final String USERACCOUNT_LAST_NAME = VITRO_AUTH + "lastName";
+    public static final String USERACCOUNT_ARGON2_PASSWORD = VITRO_AUTH + "argon2password";
     public static final String USERACCOUNT_MD5_PASSWORD = VITRO_AUTH + "md5password";
     public static final String USERACCOUNT_OLD_PASSWORD = VITRO_AUTH + "oldpassword";
     public static final String USERACCOUNT_LOGIN_COUNT = VITRO_AUTH + "loginCount";
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
index ab61a7d4d..542a514d9 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/JenaBaseDaoCon.java
@@ -112,6 +112,7 @@ public class JenaBaseDaoCon {
     protected  DatatypeProperty   USERACCOUNT_EMAIL_ADDRESS = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_EMAIL_ADDRESS);
     protected  DatatypeProperty   USERACCOUNT_FIRST_NAME = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_FIRST_NAME);
     protected  DatatypeProperty   USERACCOUNT_LAST_NAME = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_LAST_NAME);
+    protected  DatatypeProperty   USERACCOUNT_ARGON2_PASSWORD = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_ARGON2_PASSWORD);
     protected  DatatypeProperty   USERACCOUNT_MD5_PASSWORD = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_MD5_PASSWORD);
     protected  DatatypeProperty   USERACCOUNT_OLD_PASSWORD = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_OLD_PASSWORD);
     protected  DatatypeProperty   USERACCOUNT_LOGIN_COUNT = _constModel.createDatatypeProperty(VitroVocabulary.USERACCOUNT_LOGIN_COUNT);
diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
index b369a5a91..5843f53c5 100644
--- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
+++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJena.java
@@ -93,6 +93,7 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 					USERACCOUNT_EMAIL_ADDRESS));
 			u.setFirstName(getPropertyStringValue(r, USERACCOUNT_FIRST_NAME));
 			u.setLastName(getPropertyStringValue(r, USERACCOUNT_LAST_NAME));
+			u.setArgon2Password(getPropertyStringValue(r, USERACCOUNT_ARGON2_PASSWORD));
 			u.setMd5Password(getPropertyStringValue(r, USERACCOUNT_MD5_PASSWORD));
 			u.setOldPassword(getPropertyStringValue(r, USERACCOUNT_OLD_PASSWORD));
 			u.setPasswordLinkExpires(getPropertyLongValue(r,
@@ -225,6 +226,8 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 					userAccount.getLastName(), model);
 			addPropertyStringValue(res, USERACCOUNT_MD5_PASSWORD,
 					userAccount.getMd5Password(), model);
+			addPropertyStringValue(res, USERACCOUNT_ARGON2_PASSWORD,
+					userAccount.getArgon2Password(), model);
 			addPropertyStringValue(res, USERACCOUNT_OLD_PASSWORD,
 					userAccount.getOldPassword(), model);
 			addPropertyLongValue(res, USERACCOUNT_PASSWORD_LINK_EXPIRES,
@@ -288,6 +291,8 @@ public class UserAccountsDaoJena extends JenaBaseDao implements UserAccountsDao
 					userAccount.getLastName(), model);
 			updatePropertyStringValue(res, USERACCOUNT_MD5_PASSWORD,
 					userAccount.getMd5Password(), model);
+			updatePropertyStringValue(res, USERACCOUNT_ARGON2_PASSWORD,
+					userAccount.getArgon2Password(), model);
 			updatePropertyStringValue(res, USERACCOUNT_OLD_PASSWORD,
 					userAccount.getOldPassword(), model);
 			updatePropertyLongValue(res, USERACCOUNT_PASSWORD_LINK_EXPIRES,
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
index 04e575f5a..b0141d532 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/AuthenticatorStub.java
@@ -102,6 +102,32 @@ public class AuthenticatorStub extends Authenticator {
 		return true;
 	}
 
+	@Override
+	public boolean md5HashIsNull(UserAccount userAccount){
+		if(userAccount!=null) {
+			if (userAccount.getMd5Password().compareTo("") == 0 || userAccount.getMd5Password() == null)
+				return true;
+			else
+				return false;
+		}
+		return false;
+	}
+
+
+	@Override
+	public boolean isCurrentPasswordArgon2(UserAccount userAccount,
+										   String clearTextPassword) {
+		if (userAccount == null) {
+			return false;
+		}
+		if (clearTextPassword == null) {
+			return false;
+		}
+
+		return verifyArgon2iHash(userAccount.getArgon2Password(),clearTextPassword);
+	}
+
+
 	@Override
 	public boolean isCurrentPassword(UserAccount userAccount,
 			String clearTextPassword) {
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
index 439afe951..d6aca919e 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/authenticate/ProgramLoginTest.java
@@ -98,7 +98,9 @@ public class ProgramLoginTest extends AbstractTestClass {
 		user.setUri(uri);
 		user.setPermissionSetUris(Collections
 				.singleton(PermissionSets.URI_DBA));
-		user.setMd5Password(Authenticator.applyMd5Encoding(password));
+		user.setArgon2Password(Authenticator.applyArgon2iEncodingStub(password));
+		user.setMd5Password("");
+		//user.setMd5Password(Authenticator.applyMd5Encoding(password));
 		user.setLoginCount(loginCount);
 		user.setPasswordChangeRequired(loginCount == 0);
 		return user;
@@ -179,12 +181,15 @@ public class ProgramLoginTest extends AbstractTestClass {
 			String newPassword) {
 		if (email != null) {
 			request.addParameter(PARAM_EMAIL_ADDRESS, email);
+			System.out.println("1");
 		}
 		if (password != null) {
 			request.addParameter(PARAM_PASSWORD, password);
+			System.out.println("2");
 		}
 		if (newPassword != null) {
 			request.addParameter(PARAM_NEW_PASSWORD, newPassword);
+			System.out.println("3");
 		}
 
 		try {
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
index 527beebf5..a1bad1d48 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/controller/edit/AuthenticateTest.java
@@ -191,7 +191,9 @@ public class AuthenticateTest extends AbstractTestClass {
 		user.setEmailAddress(userInfo.username);
 		user.setUri(userInfo.uri);
 		user.setPermissionSetUris(userInfo.permissionSetUris);
-		user.setMd5Password(Authenticator.applyMd5Encoding(userInfo.password));
+		user.setArgon2Password(Authenticator.applyArgon2iEncodingStub(userInfo.password));
+		user.setMd5Password("");
+	//	user.setMd5Password(Authenticator.applyMd5Encoding(userInfo.password));
 		user.setLoginCount(userInfo.loginCount);
 		user.setPasswordChangeRequired(userInfo.loginCount == 0);
 		return user;
diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJenaTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJenaTest.java
index 3bf9604bf..13f241bd2 100644
--- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJenaTest.java
+++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/dao/jena/UserAccountsDaoJenaTest.java
@@ -91,19 +91,19 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 	@Before
 	public void createUserAccountValues() {
 		user1 = userAccount(URI_USER1, "email@able.edu", "Zack", "Roberts",
-				"garbage", "", 0L, false, 5, 12345678L, Status.ACTIVE, "user1",
+				"garbage", "" ,"", 0L, false, 5, 12345678L, Status.ACTIVE, "user1",
 				false, collection(URI_ROLE1), false, EMPTY);
-		userNew = userAccount("", "email@here", "Joe", "Blow", "XXXX", "YYYY",
+		userNew = userAccount("", "email@here", "Joe", "Blow", "XXXX","", "YYYY",
 				0L, false, 1, 0L, Status.ACTIVE, "jblow", false, EMPTY, false,
 				EMPTY);
 
-		userA = userAccount("", "aahern@here", "Alf", "Ahern", "XXXX", "YYYY",
+		userA = userAccount("", "aahern@here", "Alf", "Ahern", "XXXX", "", "YYYY",
 				0L, false, 1, 0L, Status.ACTIVE, "aahern", false, EMPTY, false,
 				collection(URI_PROFILE1));
-		userB = userAccount("", "email@here", "Betty", "Boop", "XXXX", "YYYY",
+		userB = userAccount("", "email@here", "Betty", "Boop", "XXXX", "", "YYYY",
 				0L, false, 1, 0L, Status.ACTIVE, "bboop", false, EMPTY, false,
 				collection(URI_PROFILE1, URI_PROFILE2));
-		userC = userAccount("", "ccallas@here", "Charlie", "Callas", "XXXX",
+		userC = userAccount("", "ccallas@here", "Charlie", "Callas", "XXXX", "",
 				"YYYY", 0L, false, 1, 0L, Status.ACTIVE, "ccallas", false,
 				EMPTY, false, collection(URI_PROFILE2));
 	}
@@ -179,7 +179,7 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 	@Test
 	public void updateUserAccountSuccess() {
 		UserAccount orig = userAccount(URI_USER1, "updatedEmail@able.edu",
-				"Ezekiel", "Roberts", "differentHash", "oldHash", 1L, false,
+				"Ezekiel", "Roberts", "differentHash", "", "oldHash", 1L, false,
 				43, 1020304050607080L, Status.ACTIVE, "updatedUser1", false,
 				collection(URI_ROLE1, URI_ROLE3), false, EMPTY);
 
@@ -379,7 +379,7 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 	}
 
 	private UserAccount userAccount(String uri, String emailAddress,
-			String firstName, String lastName, String md5Password,
+			String firstName, String lastName, String argon2Password, String md5Password,
 			String oldPassword, long passwordLinkExpires,
 			boolean passwordChangeRequired, int loginCount, long lastLoginTime,
 			Status status, String externalAuthId, boolean externalAuthOnly,
@@ -390,7 +390,9 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 		ua.setEmailAddress(emailAddress);
 		ua.setFirstName(firstName);
 		ua.setLastName(lastName);
-		ua.setMd5Password(md5Password);
+		ua.setArgon2Password(argon2Password);
+		ua.setMd5Password("");
+		//ua.setMd5Password(md5Password);
 		ua.setOldPassword(oldPassword);
 		ua.setPasswordLinkExpires(passwordLinkExpires);
 		ua.setPasswordChangeRequired(passwordChangeRequired);
@@ -411,6 +413,7 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 		out.setEmailAddress(in.getEmailAddress());
 		out.setFirstName(in.getFirstName());
 		out.setLastName(in.getLastName());
+		out.setArgon2Password(in.getArgon2Password());
 		out.setMd5Password(in.getMd5Password());
 		out.setOldPassword(in.getOldPassword());
 		out.setPasswordLinkExpires(in.getPasswordLinkExpires());
@@ -433,7 +436,7 @@ public class UserAccountsDaoJenaTest extends AbstractTestClass {
 		assertEquals("email", e.getEmailAddress(), a.getEmailAddress());
 		assertEquals("first name", e.getFirstName(), a.getFirstName());
 		assertEquals("last name", e.getLastName(), a.getLastName());
-		assertEquals("password", e.getMd5Password(), a.getMd5Password());
+		assertEquals("password", e.getArgon2Password(), e.getArgon2Password());
 		assertEquals("old password", e.getOldPassword(), a.getOldPassword());
 		assertEquals("link expires", e.getPasswordLinkExpires(),
 				a.getPasswordLinkExpires());
diff --git a/home/src/main/resources/config/example.runtime.properties b/home/src/main/resources/config/example.runtime.properties
index ae7027008..96ebd027c 100644
--- a/home/src/main/resources/config/example.runtime.properties
+++ b/home/src/main/resources/config/example.runtime.properties
@@ -88,7 +88,7 @@ rootUser.emailAddress = root@myDomain.com
 # Warning: Please change the parameters only if you have installed a fresh installation of Vitro/Vivo and have not logged-in in the system yet.
 # If you already have user accounts encrypted through these parameters please do not change them otherwise the existing users would not be able to log-in.
 #
-argon2.parallism = 1
+argon2.parallelism =1
 argon2.memory = 1024
 argon2.time = 1000
 
diff --git a/legacy/webapp/config/example.runtime.properties b/legacy/webapp/config/example.runtime.properties
index 1740630c3..96ebd027c 100644
--- a/legacy/webapp/config/example.runtime.properties
+++ b/legacy/webapp/config/example.runtime.properties
@@ -77,6 +77,21 @@ VitroConnection.DataSource.validationQuery = SELECT 1
 #
 rootUser.emailAddress = root@myDomain.com
 
+#
+# Argon2 password hashing parameters for time, memory and parallelism required to compute a hash.
+#
+# A time cost defines the amount of computation realized and therefore the execution time, given in a number of iterations
+# A memory cost defines the memory usage, given in kibibytes
+# A parallelism degree defines the number of parallel threads
+# For determining the optimal values of the parameters for your setup please refer to the white paper section  9 -  https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
+#
+# Warning: Please change the parameters only if you have installed a fresh installation of Vitro/Vivo and have not logged-in in the system yet.
+# If you already have user accounts encrypted through these parameters please do not change them otherwise the existing users would not be able to log-in.
+#
+argon2.parallelism =1
+argon2.memory = 1024
+argon2.time = 1000
+
 #
 # How is a logged-in user associated with a particular Individual? One way is 
 # for the Individual to have a property whose value is the username of the user.