Questions tagged [argon2]
Argon2 is a key derivation function that was selected as the winner of the Password Hashing Competition in July 2015.
33 questions
2
votes
1
answer
617
views
Password checks in backend vs. password encrypted data sent to frontend?
Lets assume I am building a pastebin-like web app: users can upload text notes and share them. Users should be able to password-protect notes. Whenever viewing such a note, other users must first ...
- 415
4
votes
2
answers
2k
views
argon2id: Do I have to protect against timing attacks on login?
From other password hashing algorithms, I know that when a user tries to log in, and the account does not exist in the first place, it's best practice to still hash the provided password, so as not to ...
- 143
3
votes
1
answer
499
views
Why does OWASP recommend only 1 degree of parallelism for Argon2id
Referencing this document, they give justifications for a number of their recommendations, but not any behind only going with 1 degree of parallelism for using Argon2id. Is there a reason why this is ...
- 133
1
vote
1
answer
282
views
Algorithms when using client side hashing plus server side hashing
So if I got this right from my intense research, the following procedure would be preferrable:
Use the PBKDF2 key derivation function to derive a secret key from the users password on the client side.
...
- 11
1
vote
0
answers
35
views
How should an argon2 hash be stored? [duplicate]
Given the following argon2 hash
$argon2id$v=19$m=65536,t=32,p=8$mJmKA5qamzXOPJZYw4wCEUKY$COkMH0RckaZ/3bhYCdCQjLuzoLKxcAmk4TzmHRRgTQ8
How should the hash be stored in a database? From the answers of ...
- 11
1
vote
0
answers
35
views
Argon2 is worse than bcrypt at runtimes < 1000 ms? [duplicate]
While Argon2 seems to be recommended for password hashing, based on this twit Argon2 is worse than bcrypt at runtimes < 1000 ms.
Based on this answer:
You should tweak the parameters to your own ...
- 111
0
votes
1
answer
2k
views
How long would it take to crack hashed password stored in plain sight?
I want to store a password hash in plain sight. If I am using a dictionary to crack an Argon2 hashed password that I am storing in plain sight, how long would it take (assuming my password is ...
0
votes
1
answer
2k
views
What argon2id parameters should I adjust [closed]
I am currently running argon2id of hashing function with below parameters on my IphoneXS:
Iterations: 8, Memory: 64MB, Parallelism: 8, HashLength: 32,
These params allow hashing time to be less than ...
- 243
4
votes
1
answer
1k
views
Practicality of outsourcing password hashing using enclaves
I've been pondering some potential cybersecurity applications for enclaves. One of them being the problem of password hashing.
Some clients have enclave support, meaning part of their CPU can securely ...
- 280
18
votes
3
answers
21k
views
Argon2 vs SHA-512, what's better in my case?
First I am very bad in cryptographic algorithms.
I found online that Argon2 is more secure than SHA-512, so I used it for password hashing.
There're recommended options for Argon2:
Memory: 4Gb
...
- 283
1
vote
2
answers
2k
views
Does sending hashed password over url path parameter secure?
I need to create WebSocket authentication mechanism without using ticketing, so the whole authentication needs to be performed via HTTP (over SSL) GET request which is sent to upgrade connection to ...
- 113
11
votes
2
answers
7k
views
Since GPUs have gigabytes of memory, does Argon2id need to use gigabytes of memory as well in order to effectively thwart GPU cracking?
The common advice of benchmarking a password hashing algorithm and choosing the slowest acceptable cost factor doesn't work for algorithms with more than one parameter: adding a lot of iterations at ...
- 33.3k
1
vote
3
answers
1k
views
How does memory-hard hashing passwords protect against brute force attacks?
I have a background in web app development and I'm trying to up my security game but there are some things that I find confusing.
Like how does memory-hard hashed passwords protect against brute force ...
- 13
0
votes
1
answer
468
views
Is using Argon2 with a public random on client side a good idea to protect passwords in transit?
Not sure if things belongs in Crypto SE or here but anyway:
I'm building an app and I'm trying to decide whatever is secure to protect user passwords in transit, in addition to TLS we already have.
In ...
- 103
2
votes
0
answers
549
views
Is it possible to use Argon2id hashes with PAM?
I was wondering if it's possible to implement more secure KDF like bcrypt, scrypt, pbkdf2 and argon2id in PAM authentication.
Ideally I would like to have their hashes instead of SHA-512 ones directly ...
- 173