Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.6] Add hashing configuration #23573

Merged
merged 2 commits into from
Mar 17, 2018
Merged

[5.6] Add hashing configuration #23573

merged 2 commits into from
Mar 17, 2018

Conversation

huguesjoyal
Copy link
Contributor

@huguesjoyal huguesjoyal commented Mar 16, 2018
edited by tillkruss
Loading

When configuring hashing we should be able to manage the default settings.

The default configuration of argon is good for small systems but should be adjusted to target 0.5 sec to minimize the effect of make it harder to do a brute force attack.

The configuration file (hashing.php) should then have options to do that.

    /*
    |--------------------------------------------------------------------------
    | bcrypt options
    |--------------------------------------------------------------------------
    |
    | We could define the number of rounds the bcrypt algo will be using.
    |
    | The two digit cost parameter is the base-2 logarithm of the iteration
    | count for the underlying Blowfish-based hashing algorithmeter and must
    | be in range 04-31, values outside this range will cause crypt() to fail
    |
    | Default: 10
    */
    'bcrypt' => [
        'rounds' => 10
    ],

    /*
    |--------------------------------------------------------------------------
    | argon options
    |--------------------------------------------------------------------------
    |
    | These settings could be adjusted depending on your hardware.
    |
    | time: Maximum amount of time it may take to compute the Argon2 hash.
    |        (default: 2)
    |
    | memory: Maximum memory (in bytes) that may be used to compute the Argon2 hash
    |        (default : 1024)
    |
    | threads: Number of threads to use for computing the Argon2 hash
    |        (default : 2)
    |
    */
    'argon' => [
        'time' => 2,
        'memory' => 1024,
        'threads' => 2
    ]

@huguesjoyal
Add hashing configuration
c4ab9af 
When configuring hashing we should be able to manage the default settings.

The default configuration of argon is good for small systems but should be adjusted to target 0.5 sec to minimize the effect of make it harder to do a brute force attack.

The configuration file (hashing.php) should then have options to do that.

/*
    |--------------------------------------------------------------------------
    | bcrypt options
    |--------------------------------------------------------------------------
    |
    | We could define the number of rounds the bcrypt algo will be using.
    |
    | The two digit cost parameter is the base-2 logarithm of the iteration
    | count for the underlying Blowfish-based hashing algorithmeter and must
    | be in range 04-31, values outside this range will cause crypt() to fail
    |
    | Default: 10
    */
    'bcrypt' => [
        'rounds' => 10
    ],

    /*
    |--------------------------------------------------------------------------
    | argon options
    |--------------------------------------------------------------------------
    |
    | These settings could be adjusted depending on your hardware.
    |
    | time: Maximum amount of time it may take to compute the Argon2 hash.
    |        (default: 2)
    |
    | memory: Maximum memory (in bytes) that may be used to compute the Argon2 hash
    |        (default : 1024)
    |
    | threads: Number of threads to use for computing the Argon2 hash
    |        (default : 2)
    |
    */
    'argon' => [
        'time' => 2,
        'memory' => 1024,
        'threads' => 2
    ]
@huguesjoyal
Apply style-ci patch
76bbf5e
@taylorotwell
Copy link
Member

You can pass the options when hashing.

@huguesjoyal
Copy link
Contributor Author

Yes sure we can, but when using the default laravel login / password and register it use the default configuration in the class which in case of argon is not strong enough to resist any brute force attack again a password list.

It think that including this in the configuration would be great instead of having to modify the Login/Register and change password controllers.

According the NCC Group trust slower === better in term of hashing for password protection.

https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2015/march/enough-with-the-salts-updates-on-secure-password-schemes/

The following link display many possibility of configuration that could and should be use to slow the attack vector of scrypt and argon2.
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing/

@taylorotwell taylorotwell reopened this Mar 17, 2018
@taylorotwell taylorotwell merged commit 76bbf5e into laravel:5.6 Mar 17, 2018
@huguesjoyal
Copy link
Contributor Author

Should I create a pull request for the configuration file (hashing.php) in the project laravel/laravel ?

@GrahamCampbell GrahamCampbell changed the title Add hashing configuration [5.6] Add hashing configuration Mar 17, 2018
@tillkruss
Copy link
Collaborator

@huguesjoyal: Can you please make a PR to the config/hashing.php on the laravel/laravel repo as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@huguesjoyal @taylorotwell @tillkruss