Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Argon2 and scrypt work factors #1073

Merged
merged 1 commit into from
Jan 24, 2023
Merged

Update Argon2 and scrypt work factors #1073

merged 1 commit into from
Jan 24, 2023

Conversation

Sc00bz
Copy link
Contributor

@Sc00bz Sc00bz commented Jan 24, 2023

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR is kind of related to issue #1043

Thank you again for your contribution 😃

@jmanico jmanico merged commit f14bc4c into OWASP:master Jan 24, 2023
This was referenced Jan 24, 2023
Closed
Merged
@Sc00bz Sc00bz deleted the patch-1 branch January 25, 2023 19:49
@FuzzyLitchi
Copy link

What data are these recommendations based on? Thanks

@Sc00bz
Copy link
Contributor Author

Sc00bz commented Jan 27, 2023

It's based off the RX 7900 XTX's memory bandwidth. So these are the maximum theoretical minimum settings for <10 kH/s/GPU. The RX 7900 XTX was picked because it has the highest bandwidth (960 GB/s) for a reasonably priced GPU (<$1000).

I'd base it off benchmarks but I don't have access to a bunch of different GPUs for testing. Also GPU cracking software needs some work for Argon2 and scrypt. Both algorithms have an internal parallelism that Hashcat isn't taking advantage. And benchmarks with other software are hard to find or with old GPUs. Also the benchmarks with Hashcat for scrypt are for specific low settings.

stringhandler pushed a commit to tari-project/tari that referenced this pull request Jan 30, 2023
@AaronFeickert
feat!: update Argon2 parameters (#5140)
4c4a056 
Description
---
Updates `Argon2` parameters.

Closes [issue 5139](#5139).

Motivation and Context
---
A recent [update](OWASP/CheatSheetSeries#1073) to the [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id) for `Argon2` password-based key derivation means the codebase is out of date.

This PR updates all `Argon2` parameters to meet this standard. While there are no particularly concerning risks to users with the older standard, it's a matter of good practice to keep these updated where feasible.

Note that this PR does not introduce any kind of key migration, so this change is...


How Has This Been Tested?
---
Existing tests pass.


BREAKING CHANGE: Renders all previous `Argon2`-derived keys invalid.
@breser breser mentioned this pull request Mar 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@jmanico jmanico Awaiting requested review from jmanico jmanico is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Sc00bz @FuzzyLitchi @jmanico