I've implemented PBKDF2-HMAC-SHA1 in TF-Login 'password' branch to replace the existing simple and insecure SHA1-based password hashing scheme.
To load, start with fresh Pharo 7 image:
"First load Seaside." Metacello new baseline: 'Seaside3'; repository: 'github://SeasideSt/Seaside:v3.3.3/repository'; load. "Then load TF-Login." Metacello new baseline: 'TFLogin'; repository: 'github://PierceNg/TF-Login:password/src'; load.
As originally implemented, TF-Login also supports cookie-based auto-login, which works by storing username and the SHA1-hashed password in client cookies. This scheme is certainly not secure by current standards and can't be used together with PBKDF2-HMAC-SHA1 password hashing.
Possible future work on TF-Login password management:
OAuth2, to replace the existing insecure cookie-based auto-login