#34875 closed Cleanup/optimization (wontfix)
Use RFC 9106 recommendations in Argon2PasswordHasher
| Reported by: | tecbr | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 4.2 |
| Severity: | Normal | Keywords: | |
| Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The library used by Django for implementation of argon2 (argon2-cffi) sinse 21.2.0 (2021-12-08) uses the RFC 9106 low memory profile by default.
References:
https://github.com/hynek/argon2-cffi/issues/101
https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md
https://github.com/hynek/argon2-cffi/blob/main/src/argon2/profiles.py
Why Django does not use these recommendations?
Change History (2)
comment:1 by , 14 months ago
| Cc: | added |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
comment:2 by , 14 months ago
I would be okay with updating to the low_memory profile to increase potential interop and be able to say "we are following the RFC" if some other requested changes come up :D
Note:
See TracTickets
for help on using tickets.
Thanks for the ticket. Django uses the default values for
salt_lenandhash_len. TBH, I don't see much value in decreasingtime_cost,memory_cost, andparallelismto the new low-memory profile. It's also documented how to adjust parameters to your needs.I'd ask why Django should adapt to the new low-memory profile?