Context Navigation

← Previous Ticket
Next Ticket →

#30472 closed Cleanup/optimization (fixed)

Argon2id should be supported and become the default variety for Argon2PasswordHasher

Reported by:	Si Feng	Owned by:	Florian Apolloner
Component:	contrib.auth	Version:	dev
Severity:	Normal	Keywords:	argon2, argon2id
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description (last modified by Si Feng)

There were three important changes in the upstream argon2-cffi library since Django 1.10 was released with Argon2 support:

(Nov 10, 2016) argon2id support was added: https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8#diff-1efe26b4b54ac28232eaecb9107ee6ed
(Apr 9, 2018) argon2id became its default type: https://github.com/hynek/argon2_cffi/pull/34/files
(Aug 18, 2018) its hasher's default memory cost changed from 512 to 102400, and parallelism from 2 to 8, per RFC draft recommendations: https://github.com/hynek/argon2_cffi/commit/1ec39f8dc7a140b68099549b799301113576bde2

When Django 1.10 was released, only argon2d and argon2i were available, hence the hard-coded argon2i variety in Argon2PasswordHasher.

Though Django does not use its hasher, the memory_cost = 512 and parallelism = 2 in Argon2PasswordHasher were simply copied from argon2-cffi's hasher back then.

Now we should sync Django with upstream updates.

Change History (8)

comment:1 by Si Feng, 5 years ago

Description:	modified (diff)

comment:2 by Si Feng, 5 years ago

Description:	modified (diff)

comment:3 by Carlton Gibson, 5 years ago

Component:	Uncategorized → contrib.auth
Triage Stage:	Unreviewed → Accepted
Type:	New feature → Cleanup/optimization

Great. Thanks.

comment:4 by Mariusz Felisiak, 5 years ago

Needs documentation:	set
Owner:	changed from nobody to fengsi
Patch needs improvement:	set
Status:	new → assigned

comment:5 by Mariusz Felisiak, 4 years ago

Needs documentation:	unset
Owner:	changed from fengsi to Florian Apolloner
Patch needs improvement:	unset

New PR

comment:6 by Mariusz Felisiak, 4 years ago

Triage Stage:	Accepted → Ready for checkin

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

In faad809e:

Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 4 years ago

Resolution:	→ fixed
Status:	assigned → closed

In 1621f06:

Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues