Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set argon2 as default hashing algorithm for mix.gen.auth #4471

Merged
merged 1 commit into from
Sep 10, 2021
Merged

Set argon2 as default hashing algorithm for mix.gen.auth #4471

merged 1 commit into from
Sep 10, 2021

Conversation

goncalotomas
Copy link
Contributor

@goncalotomas goncalotomas commented Sep 10, 2021
edited
Loading

Argon2 is now recommended by OWASP as being a modern and secure password hashing algorithm. The OWASP Password Storage page states that the first choice should be Argon2, listing bcrypt as a second option when Argon2 is not available.

This Pull Request sets Argon2 as a default algorithm used in mix.gen.auth and updates the test suite accordingly.

I decided not to update the default option for Windows as I am unaware of the stability of the Argon2 library on that Operating System.

I tried to follow the contribution guidelines but seeing as this is my first PR to Phoenix I will be happy to change anything that is not as expected.

@josevalim josevalim merged commit 1d5029f into phoenixframework:master Sep 10, 2021
@josevalim
Copy link
Member

💚 💙 💜 💛 ❤️

@goncalotomas goncalotomas deleted the fix/set-argon2-default-in-mix-gen-auth branch September 10, 2021 23:00
kgautreaux added a commit to kgautreaux/phoenix that referenced this pull request Sep 15, 2021
@kgautreaux
Unix default hashing algorithm changed in phoenixframework#4471
5efc371 
This just syncs the documentation with the PR from @goncalotomas in phoenixframework#4471
@kgautreaux kgautreaux mentioned this pull request Sep 15, 2021
Merged
josevalim pushed a commit that referenced this pull request Sep 17, 2021
@kgautreaux
Unix default hashing algorithm changed in #4471 (#4486)
fda6ab1 
This just syncs the documentation with the PR from @goncalotomas in #4471
@chrismccord
Copy link
Member

We may need to revert this as some users are experiencing OOM failures on smaller instances. It seems argon2 is enough to OOM 256MB instances easily, so I think unfortunately it's a poor default when bcrypt remains a great option.

ref: https://elixirforum.com/t/staging-environment-how-to-debug-out-of-memory-errors-in-production-on-fly-io/42763

I will touch base with the team tomorrow and cut a new release if everything checks out.

josevalim added a commit that referenced this pull request Oct 1, 2021
@josevalim
Revert "Set argon2 as default hash alg for mix.gen.auth (#4471)"
e72b199 
This reverts commit 1d5029f.
@josevalim
Copy link
Member

I have reverted it on master but added notes that users should consider using argon2. 👍

chrismccord pushed a commit that referenced this pull request Oct 8, 2021
@josevalim @chrismccord
Revert "Set argon2 as default hash alg for mix.gen.auth (#4471)"
6ae85ce 
This reverts commit 1d5029f.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@goncalotomas @josevalim @chrismccord