Opened 6 years ago

Closed 4 years ago

#30472 closed Cleanup/optimization (fixed)

Argon2id should be supported and become the default variety for Argon2PasswordHasher

Reported by: Si Feng Owned by: Florian Apolloner
Component: contrib.auth Version: dev
Severity: Normal Keywords: argon2, argon2id
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Si Feng)

There were three important changes in the upstream argon2-cffi library since Django 1.10 was released with Argon2 support:

  1. (Nov 10, 2016) argon2id support was added: https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8#diff-1efe26b4b54ac28232eaecb9107ee6ed
  2. (Apr 9, 2018) argon2id became its default type: https://github.com/hynek/argon2_cffi/pull/34/files
  3. (Aug 18, 2018) its hasher's default memory cost changed from 512 to 102400, and parallelism from 2 to 8, per RFC draft recommendations: https://github.com/hynek/argon2_cffi/commit/1ec39f8dc7a140b68099549b799301113576bde2

When Django 1.10 was released, only argon2d and argon2i were available, hence the hard-coded argon2i variety in Argon2PasswordHasher.

Though Django does not use its hasher, the memory_cost = 512 and parallelism = 2 in Argon2PasswordHasher were simply copied from argon2-cffi's hasher back then.

Now we should sync Django with upstream updates.

Change History (8)

comment:1 by Si Feng, 6 years ago

Description: modified (diff)

comment:2 by Si Feng, 6 years ago

Description: modified (diff)

comment:3 by Carlton Gibson, 6 years ago

Component: Uncategorizedcontrib.auth
Triage Stage: UnreviewedAccepted
Type: New featureCleanup/optimization

Great. Thanks.

PR

comment:4 by Mariusz Felisiak, 6 years ago

Needs documentation: set
Owner: changed from nobody to fengsi
Patch needs improvement: set
Status: newassigned

comment:5 by Mariusz Felisiak, 4 years ago

Needs documentation: unset
Owner: changed from fengsi to Florian Apolloner
Patch needs improvement: unset

comment:6 by Mariusz Felisiak, 4 years ago

Triage Stage: AcceptedReady for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In faad809e:

Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

Resolution: fixed
Status: assignedclosed

In 1621f06:

Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.

Note: See TracTickets for help on using tickets.
Back to Top