rfc:argon2_password_hash
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:argon2_password_hash [2016/08/05 18:30] – charlesportwoodii | rfc:argon2_password_hash [2018/03/01 23:27] (current) – RFC was implemented in PHP 7.2 carusogabriel | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== PHP RFC: Argon2 Password Hash ====== | ====== PHP RFC: Argon2 Password Hash ====== | ||
- | * Version: 0.6 | + | * Version: 0.8 |
* Date: 2016-07-10 | * Date: 2016-07-10 | ||
* Author: Charles R. Portwood II < | * Author: Charles R. Portwood II < | ||
- | * Status: | + | * Status: |
* First Published at: http:// | * First Published at: http:// | ||
Line 13: | Line 13: | ||
- And a parallelism factor, which defines the number of parallel threads | - And a parallelism factor, which defines the number of parallel threads | ||
- | Argon2 comes in two distinct flavors, Argon2i and Argon2d. Argon2i which is optimized for password hashing and password based key derivation. | + | Argon2 comes in two distinct flavors, Argon2i and Argon2d. Argon2i which is optimized for password hashing and password based key derivation. |
===== Proposal ===== | ===== Proposal ===== | ||
Line 39: | Line 39: | ||
< | < | ||
- | memory_cost = 64 Mib | + | memory_cost = 1024 KiB |
- | time_cost = 3 | + | time_cost = 2 |
- | threads = 1 | + | threads = 2 |
</ | </ | ||
+ | |||
+ | All three values are integers. The memory cost represents the number of KiB that should be consumed during hashing. The default value is 1<< | ||
+ | |||
+ | The time cost represents the number of times the hash algorithm will be run. And the thread parameter indicates the number of CPU threads that will be used during hashing. | ||
==== Changes to password_hash() ==== | ==== Changes to password_hash() ==== | ||
Line 115: | Line 119: | ||
None. | None. | ||
- | ===== Open Issues ===== | + | ===== Discussion |
+ | |||
+ | All issues in this section have been resolved. The primary discussion points and resolutions are outlined. | ||
+ | |||
+ | ==== [Resolved] Cost factors ==== | ||
+ | |||
+ | This library initially proposed higher cost factors, but now proposes the following cost factors: | ||
+ | |||
+ | < | ||
+ | memory_cost = 1 MiB | ||
+ | time_cost = 2 | ||
+ | threads = 2 | ||
+ | </ | ||
+ | |||
+ | Due to the variety of platforms PHP runs on, the cost factors are deliberately set low as to not accidentally exhaust system resources on shared or low resource systems when using the default cost parameters. Consequently, | ||
+ | |||
+ | - Common Cloud Server 512 MB, 1 Core: 3-5 ms | ||
+ | - Common Cloud Server 2 GB, 2 Core, 1-3 ms | ||
+ | - 512 MB Raspberry Pi Zero: 75-85ms | ||
+ | |||
+ | As Argon2 doesn' | ||
==== [Resolved] m_cost, t_costs vs memory_cost, | ==== [Resolved] m_cost, t_costs vs memory_cost, | ||
Line 121: | Line 145: | ||
The reference material uses m_cost and t_cost. End users might find it easier to use memory_cost and time_cost. The cost variables have been changed to the latter to simplify cost selection for the end user. | The reference material uses m_cost and t_cost. End users might find it easier to use memory_cost and time_cost. The cost variables have been changed to the latter to simplify cost selection for the end user. | ||
- | ==== Providing default options ==== | + | ==== [Resolved] |
Providing default options allows for ease of use, and encourages use. Not providing options encourages experimentation on your system, but discourages use from people unfamiliar with the algorithm. | Providing default options allows for ease of use, and encourages use. Not providing options encourages experimentation on your system, but discourages use from people unfamiliar with the algorithm. | ||
Line 159: | Line 183: | ||
Vote YES to include Argon2 as an alternative to Bcrypt within the password_* functions in 7.2. A 50%+1 majority should be sufficient. | Vote YES to include Argon2 as an alternative to Bcrypt within the password_* functions in 7.2. A 50%+1 majority should be sufficient. | ||
- | Voting will be open for 1 week. | + | Voting will be open for 2 weeks. |
- | <doodle title=" | + | <doodle title=" |
* Yes | * Yes | ||
* No | * No | ||
Line 168: | Line 192: | ||
===== Patches and Tests ===== | ===== Patches and Tests ===== | ||
- | A working patch is available at: https:// | + | A working patch against the latest version of the Argon2 reference library |
===== Implementation ===== | ===== Implementation ===== | ||
- | After the project is implemented, | + | - Merged in 7.2 |
- | - the version(s) it was merged to | + | - Commit: https:// |
- | | + | |
- a link to the PHP manual entry for the feature | - a link to the PHP manual entry for the feature | ||
Line 195: | Line 218: | ||
- 2016-08-01: 0.5 Voting closes due to issue with RFC, removing 7.4 and adding new issues brought up during vote | - 2016-08-01: 0.5 Voting closes due to issue with RFC, removing 7.4 and adding new issues brought up during vote | ||
- 2016-08-01: 0.6 Removing Argon2 from password_*, changing configure flag to --with-password-argon2 for clarity of scope | - 2016-08-01: 0.6 Removing Argon2 from password_*, changing configure flag to --with-password-argon2 for clarity of scope | ||
+ | - 2016-08-18: 0.7 Adding clarity on new cost factors | ||
+ | - 2016-08-24: 0.8 Voting re-opened | ||
+ | - 2016-09-08: 0.8 RFC accepted, voting closed |
rfc/argon2_password_hash.1470421808.txt.gz · Last modified: 2017/09/22 13:28 (external edit)