Opened 15 months ago

Closed 15 months ago

Last modified 15 months ago

#34875 closed Cleanup/optimization (wontfix)

Use RFC 9106 recommendations in Argon2PasswordHasher

Reported by: tecbr Owned by: nobody
Component: contrib.auth Version: 4.2
Severity: Normal Keywords:
Cc: Florian Apolloner Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The library used by Django for implementation of argon2 (argon2-cffi) sinse 21.2.0 (2021-12-08) uses the RFC 9106 low memory profile by default.

References:
https://github.com/hynek/argon2-cffi/issues/101
https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md
https://github.com/hynek/argon2-cffi/blob/main/src/argon2/profiles.py

Why Django does not use these recommendations?

Change History (2)

comment:1 by Mariusz Felisiak, 15 months ago

Cc: Florian Apolloner added
Resolution: wontfix
Status: newclosed

Thanks for the ticket. Django uses the default values for salt_len and hash_len. TBH, I don't see much value in decreasing time_cost, memory_cost, and parallelism to the new low-memory profile. It's also documented how to adjust parameters to your needs.

Why Django does not use these recommendations?

I'd ask why Django should adapt to the new low-memory profile?

comment:2 by Florian Apolloner, 15 months ago

I would be okay with updating to the low_memory profile to increase potential interop and be able to say "we are following the RFC" if some other requested changes come up :D

Note: See TracTickets for help on using tickets.
Back to Top