Unfortunately Fossil uses a fast SHA hash for the password hashes of user accounts in the database, rather than a key derivation function, which is disappointing.
My fossil knowledge might be a fossil itself, but isn’t the database used for everything?
If someone gets hold of the hashes, they already have everything. So, whats the threat that is enabled by poor pw hashing?
Anyways, passwords should always be hashed with good password hashing functions (not all kdf are good for that) even if it is not strictly necessary. Just in case.
