11

What are reasonable parameters for Argon2 to hash passwords in a web application? On the one hand we need good performance, fast responses and DDoS resistance, but on the other hand we need protection from brute force on modern GPU, ASIC, FPGA etc. I see an example in Django - they use Argon2i with p=2, t=2 and 512kb of RAM, so is it enough nowadays?

Update: Basically I need to keep response time as low as possible, say 5ms for a user to hash his password. Taking into consideration theoretical throughput of RAM I can afford from 2 till 8Mb per password, so I can either spend more time doing calculations on CPU or consume more RAM with less calculations. What is the best strategy for such a case (do more CPU calculations or consume more RAM per password) to get as maximum brute force resistance as possible? The password hashing algorithm is Argon2, as it's mentioned in the title.

Update 2: Those who vote against some answers please do describe your point in comments.

CaptainRR
  • 656
  • 5
  • 16

2 Answers2

4

Only peripherally related, but consider doing somewhat expensive hashing on the client side as well as on the server, and arguably instead of on the server. This increases the costs of an attacker brute-forcing passwords, but scales better, and depending on your clients this could be viable - for example, browsers expose built-in PBKDF2 via webcrypto APIs.

orip
  • 328
  • 4
  • 12
2

After some research I came up with the following solution - not to concentrate on a password hashing algorithm itself, but to apply mitigations on the overall password hashing scheme. I'd recommend the following steps:

  • define your server response KPI (for example, you can afford 20ms for password hashing per user)
  • optimize the implementation as much as possible (Runtime CPU dispatching and optimizations for different CPU instructions, like in this implemenation)
  • figure out the appropriate parameters using benchmarks
  • apply mitigations on the whole password hashing scheme level (use local parameters - algorithm secrets that are stored in app configuration and not in the database with hashed passwords, crypto anchors or state-of-the-art PO-PRF approach)
CaptainRR
  • 656
  • 5
  • 16