[Django] #34875: Use RFC 9106 recommendations in Argon2PasswordHasher

0 views
Skip to first unread message

Django

unread,
Sep 27, 2023, 11:03:44 AM9/27/23
to django-...@googlegroups.com
#34875: Use RFC 9106 recommendations in Argon2PasswordHasher
------------------------------------------------+------------------------
Reporter: tecbr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
The library used by Django for implementation of argon2 (argon2-cffi)
sinse 21.2.0 (2021-12-08) uses the RFC 9106 low memory profile by default.

References:
[https://github.com/hynek/argon2-cffi/issues/101]
[https://github.com/hynek/argon2-cffi/blob/main/CHANGELOG.md]
[https://github.com/hynek/argon2-cffi/blob/main/src/argon2/profiles.py]

Why Django does not use these recommendations?

--
Ticket URL: <https://code.djangoproject.com/ticket/34875>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Sep 28, 2023, 12:07:06 AM9/28/23
to django-...@googlegroups.com
#34875: Use RFC 9106 recommendations in Argon2PasswordHasher
-------------------------------------+-------------------------------------
Reporter: tecbr | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: contrib.auth | Version: 4.2
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* cc: Florian Apolloner (added)
* status: new => closed
* resolution: => wontfix


Comment:

Thanks for the ticket. Django uses the default values for `salt_len` and
`hash_len`. TBH, I don't see much value in decreasing `time_cost`,
`memory_cost`, and `parallelism` to the new low-memory profile. It's also
[https://docs.djangoproject.com/en/stable/topics/auth/passwords/#argon2
documented] how to adjust parameters to your needs.

> Why Django does not use these recommendations?

I'd ask why Django should adapt to the new low-memory profile?

--
Ticket URL: <https://code.djangoproject.com/ticket/34875#comment:1>

Django

unread,
Oct 7, 2023, 9:28:19 AM10/7/23
to django-...@googlegroups.com
#34875: Use RFC 9106 recommendations in Argon2PasswordHasher
-------------------------------------+-------------------------------------
Reporter: tecbr | Owner: nobody
Type: | Status: closed
Cleanup/optimization |
Component: contrib.auth | Version: 4.2
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------

Comment (by Florian Apolloner):

I would be okay with updating to the low_memory profile to increase
potential interop and be able to say "we are following the RFC" if some
other requested changes come up :D

--
Ticket URL: <https://code.djangoproject.com/ticket/34875#comment:2>

Reply all
Reply to author
Forward
0 new messages