New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Argon2id should be the default #33

Closed
philtay opened this Issue Jan 31, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@philtay

philtay commented Jan 31, 2018

Currently Argon2i is used as the default algorithm. There are two published attacks against it. The recommended and primary variant of Argon2 is Argon2id (also default in libsodium).

@hynek

This comment has been minimized.

Owner

hynek commented Jan 31, 2018

Hm yeah, I guess I’ll have to build hash flexibility (that’s the wrong word, isn’t it :)) into PasswordHasher and update the docs.

@philtay

This comment has been minimized.

philtay commented Jan 31, 2018

Yep!

  • Default to Argon2id
  • time_cost=1
  • memory_cost=32*1024 (i.e. 32 MiB)
  • parallelism=len(os.sched_getaffinity(0))
@hynek

This comment has been minimized.

Owner

hynek commented Jan 31, 2018

Yeah I’ll try to read myself thru the RFC on the weekend. I’ve pinged Django about it too since they use the low-level functions.

@hynek

This comment has been minimized.

Owner

hynek commented Mar 22, 2018

I have started working on that in #34 but I don’t think I’m comfortable to change the other default parameters .

@philtay

This comment has been minimized.

philtay commented Mar 23, 2018

memory_cost is arbitrary, the others are sane defaults. A time_cost > 1 doesn't make much sense for password hashing and having parallelism = number of cores is quite obvious. Anyway, more than hardcoded default arguments, we need an helper function that, given a time constraint, returns optimal parameters. That's a good one: https://gitlab.com/cryptsetup/cryptsetup/blob/master/lib/crypto_backend/pbkdf_check.c#L202

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment