Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

argon2 password hash consumes too much memory #14294

Closed
6543 opened this issue Jan 10, 2021 · 8 comments · Fixed by #14673
Closed

argon2 password hash consumes too much memory #14294

6543 opened this issue Jan 10, 2021 · 8 comments · Fixed by #14673
Labels
performance/memory Performance issues affecting memory use type/docs This PR mainly updates/creates documentation
Milestone
1.14.0

Comments

@6543
Copy link
Member

6543 commented Jan 10, 2021
edited
Loading

In current config it takes 64M for one hashing.

Wee need a less resource hungry default algo.

cc @KAepora @zeripath

refs:
@zeripath
Copy link
Contributor

Thinking on I think leaving argon2 as the default is OK - however we should ensure that Users can set it on the install page. (and there is appropriate warning next to the option so our low resource/heavy load Users can choose something different.)

Leaving ourselves in a secure state by default is helpful.

@lunny lunny added the performance/memory Performance issues affecting memory use label Jan 10, 2021
@lafriks
Copy link
Member

lafriks commented Jan 10, 2021

I agree with @zeripath on this

@lunny
Copy link
Member

lunny commented Jan 11, 2021

And we should also update the document with some warning .

@6543 6543 mentioned this issue Feb 7, 2021
Closed
6 tasks
@6543 6543 added the type/docs This PR mainly updates/creates documentation label Feb 7, 2021
@lunny
Copy link
Member

lunny commented Feb 8, 2021
edited
Loading

A PR is needed to add an option on installation page with warning or we should change the default password hash algorithm. Since most Gitea users have small memory instance, this is very important for them.

@6543 6543 added this to the 1.14.0 milestone Feb 8, 2021
@zeripath
Copy link
Contributor

Having spent even more time dealing with more issues that have essentially come down to argon2 I have changed my mind on the above comment.

I now think we should just change it.

Our users cannot really be expected to think that their memory problems and slow downs are due to a password hashing algorithm.

@zeripath
Copy link
Contributor

I guess the question is what should be the default? I guess we just move back to pbkdf2 but make it settable on the install page with warnings about the issues.

@techknowlogick techknowlogick changed the title argon2 password hash consume too mouch memory argon2 password hash consumes too much memory Feb 12, 2021
@lunny lunny mentioned this issue Feb 13, 2021
Merged
@6543 6543 mentioned this issue Feb 13, 2021
Closed
@vladionescu
Copy link

What issues have we seen from this memory usage? I personally haven't encountered slowdowns, but my instance only has ~20 users so I am certainly not running a very busy Gitea.

Like a good KDF, Argon2 is designed to not be performant. If it was performant, it would be easy for attackers to brute force plaintext passwords should they ever get their hands on the hashes.

That said, it's also not meant to be a drag on the whole system. It has configurable parameters that influence memory usage, among other things. Have we considered tweaking those knobs or exposing them to admins, so they can be turned down for more resource constrained deployments?

@jolheiser
Copy link
Member

Further discussion can be moved over to #14702 instead of a closed issue. 🙂

@go-gitea go-gitea locked and limited conversation to collaborators Mar 4, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
performance/memory Performance issues affecting memory use type/docs This PR mainly updates/creates documentation
Projects
None yet
Milestone
1.14.0
6 participants
@lunny @lafriks @zeripath @vladionescu @6543 @jolheiser