On Fri, Aug 5, 2016 at 9:49 AM, Charles R. Portwood II < charlesportwoo...@erianna.com> wrote:
> On Fri, Aug 5, 2016 at 9:19 AM, Tom Worster <f...@thefsb.org> wrote: > >> On 8/5/16 8:47 AM, Charles R. Portwood II wrote: >> >> The RFC is available at: https://wiki.php.net/rfc/argon2_password_hash >>> >>> . >>> >> >> Hi Charles, >> >> Thanks for doing this. I'm glad Argon2 is coming to PHP. > > > As the spec requires some minimum values to even work (and there's > recommendations from the developers [1]), I think we should be providing > defaults so that the algorithm works out of the box, though I agree they > could be set to lower values. Note that the spec does specifically say that > there is no "insecure" value for the memory and time cost attributes. If we > wanted to drop it to the minimum recommend by the developers, the values > would be: > > m_cost = 16 > t_cost = 2 > threads = 1 > > I'm open to other suggestions or alternatives though. > > Thanks, > *Charles R. Portwood II* > > [1]: https://github.com/P-H-C/phc-winner-argon2/issues/144 > > For clarity, a memory cost of 16 implies 65536 KiB, or 64 MiB of memory. The only difference between the values recommended by the developers, and the cost outlined in the RFC is that the t_cost is set to 3. *Charles R. Portwood II*
