[Django] #30472: Argon2id should be supported and become the default variety for Argon2PasswordHasher
Django
Argon2PasswordHasher
-------------------------------------+-------------------------------------
Reporter: Si Feng | Owner: nobody
Type: New | Status: new
feature |
Component: | Version: master
Uncategorized |
Severity: Normal | Keywords: argon2, argon2id
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
There were two important changes in the upstream
[https://github.com/hynek/argon2_cffi argon2-cffi] library since Django
1.10 was released with Argon2 support:
1. (Nov 10, 2016) argon2id support was added:
https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8
#diff-1efe26b4b54ac28232eaecb9107ee6ed
2. (Apr 9, 2018) argon2id became its default type:
https://github.com/hynek/argon2_cffi/pull/34/files
When Django 1.10 was released, only argon2d and argon2i were available,
hence the hard-coded argon2i variety in Argon2PasswordHasher.
--
Ticket URL: <https://code.djangoproject.com/ticket/30472>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Argon2PasswordHasher
Reporter: Si Feng | Owner: nobody
Component: Uncategorized | Version: master
Severity: Normal | Resolution:
Keywords: argon2, argon2id | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Si Feng:
Old description:
> There were two important changes in the upstream
> [https://github.com/hynek/argon2_cffi argon2-cffi] library since Django
> 1.10 was released with Argon2 support:
>
> 1. (Nov 10, 2016) argon2id support was added:
> https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8
> #diff-1efe26b4b54ac28232eaecb9107ee6ed
> 2. (Apr 9, 2018) argon2id became its default type:
> https://github.com/hynek/argon2_cffi/pull/34/files
>
> When Django 1.10 was released, only argon2d and argon2i were available,
> hence the hard-coded argon2i variety in Argon2PasswordHasher.
New description:
There were three important changes in the upstream
[https://github.com/hynek/argon2_cffi argon2-cffi] library since Django
1.10 was released with Argon2 support:
1. (Nov 10, 2016) argon2id support was added:
https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8
#diff-1efe26b4b54ac28232eaecb9107ee6ed
2. (Apr 9, 2018) argon2id became its default type:
https://github.com/hynek/argon2_cffi/pull/34/files
3. (Aug 18, 2018) its hasher's default memory cost changed from 512 to
102400, and parallelism from 2 to 8, per [https://tools.ietf.org/html
/draft-irtf-cfrg-argon2-04#section-4 RFC draft] recommendations:
https://github.com/hynek/argon2_cffi/commit/1ec39f8dc7a140b68099549b799301113576bde2
When Django 1.10 was released, only argon2d and argon2i were available,
hence the hard-coded argon2i variety in Argon2PasswordHasher. The
memory_cost = 512 and parallelism = 2 were also copied from argon2-cffi at
that time.
Now we should sync Django with upstream updates.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:1>
Django
Argon2PasswordHasher
Reporter: Si Feng | Owner: nobody
Component: Uncategorized | Version: master
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Si Feng:
Old description:
> There were three important changes in the upstream
> [https://github.com/hynek/argon2_cffi argon2-cffi] library since Django
> 1.10 was released with Argon2 support:
>
> 1. (Nov 10, 2016) argon2id support was added:
> https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8
> #diff-1efe26b4b54ac28232eaecb9107ee6ed
> 2. (Apr 9, 2018) argon2id became its default type:
> https://github.com/hynek/argon2_cffi/pull/34/files
> 3. (Aug 18, 2018) its hasher's default memory cost changed from 512 to
> 102400, and parallelism from 2 to 8, per [https://tools.ietf.org/html
> /draft-irtf-cfrg-argon2-04#section-4 RFC draft] recommendations:
> https://github.com/hynek/argon2_cffi/commit/1ec39f8dc7a140b68099549b799301113576bde2
>
> When Django 1.10 was released, only argon2d and argon2i were available,
> hence the hard-coded argon2i variety in Argon2PasswordHasher. The
> memory_cost = 512 and parallelism = 2 were also copied from argon2-cffi
> at that time.
>
> Now we should sync Django with upstream updates.
New description:
There were three important changes in the upstream
[https://github.com/hynek/argon2_cffi argon2-cffi] library since Django
1.10 was released with Argon2 support:
1. (Nov 10, 2016) argon2id support was added:
https://github.com/hynek/argon2_cffi/commit/00120a9880a74a5aedb13ee343bf6ccd507bb2d8
#diff-1efe26b4b54ac28232eaecb9107ee6ed
2. (Apr 9, 2018) argon2id became its default type:
https://github.com/hynek/argon2_cffi/pull/34/files
3. (Aug 18, 2018) its hasher's default memory cost changed from 512 to
102400, and parallelism from 2 to 8, per [https://tools.ietf.org/html
/draft-irtf-cfrg-argon2-04#section-4 RFC draft] recommendations:
https://github.com/hynek/argon2_cffi/commit/1ec39f8dc7a140b68099549b799301113576bde2
When Django 1.10 was released, only argon2d and argon2i were available,
hence the hard-coded argon2i variety in Argon2PasswordHasher.
Though Django does not use its hasher, the memory_cost = 512 and
parallelism = 2 in Argon2PasswordHasher were simply copied from
argon2-cffi's hasher back then.
Now we should sync Django with upstream updates.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:2>
Django
Argon2PasswordHasher
Reporter: Si Feng | Owner: nobody
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: argon2, argon2id | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* component: Uncategorized => contrib.auth
* type: New feature => Cleanup/optimization
* stage: Unreviewed => Accepted
Comment:
Great. Thanks.
[https://github.com/django/django/pull/11349 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:3>
Django
Argon2PasswordHasher
Reporter: Si Feng | Owner: fengsi
Type: Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: argon2, argon2id | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* owner: nobody => fengsi
* needs_better_patch: 0 => 1
* status: new => assigned
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:4>
Django
Argon2PasswordHasher
-------------------------------------+-------------------------------------
Type: | Apolloner
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: fengsi => Florian Apolloner
* needs_better_patch: 1 => 0
* needs_docs: 1 => 0
Comment:
[https://github.com/django/django/pull/13066 New PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:5>
Django
Argon2PasswordHasher
-------------------------------------+-------------------------------------
Type: | Apolloner
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:6>
Django
Argon2PasswordHasher
-------------------------------------+-------------------------------------
Type: | Apolloner
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: argon2, argon2id | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"1621f06051c94665f2edf492c10316875896e7eb" 1621f06]:
{{{
#!CommitTicketReference repository=""
revision="1621f06051c94665f2edf492c10316875896e7eb"
Fixed #30472 -- Made Argon2PasswordHasher use Argon2id.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:8>
Django
Argon2PasswordHasher
-------------------------------------+-------------------------------------
Type: | Apolloner
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Mariusz Felisiak <felisiak.mariusz@…>):
In [changeset:"faad809e09af5617f1cda579f5b031233be21cb3" faad809e]:
{{{
#!CommitTicketReference repository=""
revision="faad809e09af5617f1cda579f5b031233be21cb3"
Refs #30472 -- Simplified Argon2PasswordHasher with argon2-cffi 19.1+ API.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/30472#comment:7>