On Fri, Aug 5, 2016 at 9:19 AM, Tom Worster <f...@thefsb.org> wrote: > On 8/5/16 8:47 AM, Charles R. Portwood II wrote: > > The RFC is available at: https://wiki.php.net/rfc/argon2_password_hash >> >> . >> > > Hi Charles, > > Thanks for doing this. I'm glad Argon2 is coming to PHP. >
Hi Tom, Thanks for the feedback! You can have a longer voting period if you like, which I think would be > a good idea. Sounds good to me. I think it's confusing to have two consts to identify the algorithm. I > don't understand the analogy to PASSWORD_DEFAULT. If we only provide > Argon2i, one const is easier. If we anticipate adding another Argon2 > algo in the future that is not backward compatible with this one then I > don't think we would want to change PASSWORD_ARGON2 to point to it. I agree. Originally there was PASSWORD_ARGON2I and PASSWORD_ARGON2D, with PASSWORD_ARGON2 aliasing to PASSWORD_ARGON2I, but with Argon2d removed from scope the extra constant is now largely unnecessary. I don't anticipate Argon2 adding any additional algorithms at this point, given the spec and reference library is finalized. I think for clarity, PASSWORD_ARGON2I would be sufficient. What are your thoughts? Finally, I wonder if it wouldn't be better if, for the time being, we > do not provide default costs constants. Argon2 is new (as crypto algos > go) and very early in a gradual introduction in deployments. And it is > hard to use because of the three cost factors. Correctly tuning those > for different machines is not yet a commonly-understood skill. (You > even can find conflicting advice on how to tune Bcrypt's time factor.) > If, on the other hand, we omit the constants and require the $options > argument then it discourages inexpert users. At the same time it > encourages experimentation and understanding of the costs, among those > who take an interest, which I think is just what we want. The rationale for providing defaults is to ensure the password_* functions remain easy to use. Assuming that at some point PASSWORD_ARGON2I (or any new algorithm) would become PASSWORD_DEFAULT, the end user's expectations would be that *password_hash($password, PASSWORD_DEFAULT)* just works, without needing to specify additional arguments. As the spec requires some minimum values to even work (and there's recommendations from the developers [1]), I think we should be providing defaults so that the algorithm works out of the box, though I agree they could be set to lower values. Note that the spec does specifically say that there is no "insecure" value for the memory and time cost attributes. If we wanted to drop it to the minimum recommend by the developers, the values would be: m_cost = 16 t_cost = 2 threads = 1 I'm open to other suggestions or alternatives though. Thanks, *Charles R. Portwood II* [1]: https://github.com/P-H-C/phc-winner-argon2/issues/144
