If you were building a password store from scratch in 2018, almost 2019, what would you use today and with what parameters? bcrypt, scrypt, argon2?
-
Show this thread
-
Replying to @vcsjones
Hash-then-encrypt Password hash: Argon2id, N=32MiB, r=2, p=2 Encryption: XChaCha20-Poly1305 Webserver has the keys, database on separate hardware (e.g. Amazon RDS)
3 replies 0 retweets 14 likes -
Replying to @CiPHPerCoder @vcsjones
Where did you come to those params for Argon2?
1 reply 0 retweets 0 likes -
They're the *_INTERACTIVE constants in libsodium
1 reply 0 retweets 2 likes -
Those aren't the defaults. It's N=64MiB and p=1 since June 2017 and probably since Argon2id was added (https://github.com/jedisct1/libsodium/blame/32e36af97ef2116179cf6489e1f95f31d6b14e95/src/libsodium/include/sodium/crypto_pwhash_argon2id.h#L70 … and https://github.com/jedisct1/libsodium/blame/32e36af97ef2116179cf6489e1f95f31d6b14e95/src/libsodium/crypto_pwhash/argon2/pwhash_argon2id.c#L200 …). Note that these settings are 4x harder for GPUs. Also bcrypt is better for auth until maybe DDR5 or DDR6 and GPUs stagnate.
1 reply 1 retweet 2 likes -
Replying to @Sc00bzT @CiPHPerCoder and
Correct. But you just replied to a 172 days old tweet :)
1 reply 0 retweets 0 likes -
Replying to @jedisct1 @CiPHPerCoder and
Steve Retweeted Paul Moore 🇬🇧
Steve added,
1 reply 0 retweets 0 likes -
sidesteps from room....
1 reply 0 retweets 0 likes
NBD. These parameters are still totally acceptable. If you’re using these, you’re doing a far better job that virtually everybody else in the industry.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.