Hello,
This morning I submitted a Pull Request[1], which adds a PasswordHasher for
argon2 – the winner of the Password Hashing Competition.[2] Tim Graham
mentioned I should send an e-mail to this list to discuss it.
The patch is mostly pretty straight-forward. I would like to add a few
remarks on some of the choices.
1. There are two Python packages that implement argon2. Both bind
libargon2[3]. The first is argon2_py[4], which uses ctypes. The second is
argon2-cffi[5], which uses... cffi. Bindings using cffi are more portable,
so I choose argon2-cffi.
2. argon2 has four parameters: (i) variety ("type"), (ii) time cost ("t"),
(iii) memory cost ("m") and (iv) parallelism ("p"). There are two
varieties: argon2i and argon2d. The first (argon2i) is safest against
side-channel attacks. The second tries less hard to be secure against
side-channel attacks in favour of being more resilient against GPU
brute-forcing. For web-apps, the first "argon2i" is the clear choice. For
the other parameters I choose to use the same defaults as of argon2-cffi:
t=2, m=512, p=2. On a i7-4790 @ 3.6Ghz the hash takes around 2ms to
compute.
Best wishes,
Bas
[1] https://github.com/django/django/pull/5876
[2] https://password-hashing.net
[3] https://github.com/p-h-c/phc-winner-argon2
[4] https://github.com/flamewow/argon2_py
[5] https://github.com/hynek/argon2_cffi
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/12161663-19c9-4b29-95ad-4d5034395184%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
