I wrote a tool that should help developers figure out good Argon2id parameters for their local environment.https://github.com/paragonie/argon2-refiner …
You still need to account for how many hashes are going to be computed simultaneously. Unless you serialize everything. And then you have a different kind of DoS vector.
-
-
Sure, but the advice that folks in the PHP ecosystem have been given for the better part of a decade has been "figure out how many hashes/second you need to be able to handle per worker process, then target that" with bcrypt costs.
-
Since we're changing the defaults in 7.4, I thought it'd be helpful to actually provide a means to do exactly that. :)
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.