#34875 closed Cleanup/optimization (wontfix)
Use RFC 9106 recommendations in Argon2PasswordHasher
Reported by: | tecbr | Owned by: | nobody |
---|---|---|---|
Component: | contrib.auth | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Florian Apolloner | Triage Stage: | Unreviewed |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The library used by Django for implementation of argon2 (argon2-cffi) sinse 21.2.0 (2021-12-08) uses the RFC 9106 low memory profile by default.
References:
https://github.com/hynek/argon2-cffi/issues/101
https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md
https://github.com/hynek/argon2-cffi/blob/main/src/argon2/profiles.py
Why Django does not use these recommendations?
Change History (2)
comment:1 by , 15 months ago
Cc: | added |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
comment:2 by , 15 months ago
I would be okay with updating to the low_memory profile to increase potential interop and be able to say "we are following the RFC" if some other requested changes come up :D
Thanks for the ticket. Django uses the default values for
salt_len
andhash_len
. TBH, I don't see much value in decreasingtime_cost
,memory_cost
, andparallelism
to the new low-memory profile. It's also documented how to adjust parameters to your needs.I'd ask why Django should adapt to the new low-memory profile?