16

(I realize this is yet another Argon2 "how do I configure" question, but the existing questions I've found don't really help. If I've missed one, happy to have this closed).

Deploying Argon2 (with the Argon2id variant) into a server environment to hash passwords and process site logins - the question we're grappling with is "how much memory to allocate". Now, I'm aware it's "as much as practically possible" but I haven't found any guidance on a lower limit (e.g., something that says something like "below 16MB it's not worth it").

This question suggests 32MB is good enough for most applications, and this one suggests '0.75 * (memory/users)' as a guideline, but not sure if this is reasonable?

Obviously, as iterations can be tuned upwards, we can maintain hardness in that dimension, but at what lower limit of memory would be considered "bad" or at least "not good" for Argon2? If this is pure to help avoid cache hits in a GPU then this would suggest allocations as low as 16MB may be okay, but am I missing something? If it's a case of "16MB okay, 32MB recommended, above 48MB there's nothing gained anything at the current state-of-the-art" that's also fine. I've seen people talk about 1GB allocations - this almost seems overkill?

R1w
  • 1,960
  • 4
  • 23
  • 45
Callie J
  • 273
  • 2
  • 8

2 Answers2

8

An RFC for Argon2 has been published now, which provides several recommendations. Unfortunately, the situation is still not clear cut and seems unrealistic.

Their two generally recommended options are:

  1. If a uniformly safe option that is not tailored to your application or hardware is acceptable, select Argon2id with t=1 iteration, p=4 lanes, m=2^(21) (2 GiB of RAM), 128-bit salt, and 256-bit tag size.

  2. If much less memory is available, a uniformly safe option is Argon2id with t=3 iterations, p=4 lanes, m=2^(16) (64 MiB of RAM), 128-bit salt, and 256-bit tag size.

However, directly above that they state:

Argon2id is optimized for more realistic settings, where the adversary can possibly access the same machine, use its CPU, or mount cold-boot attacks. We suggest the following settings:

Backend server authentication, which takes 0.5 seconds on a 2 GHz CPU using 4 cores -- Argon2id with 8 lanes and 4 GiB of RAM.

Key derivation for hard-drive encryption, which takes 3 seconds on a 2 GHz CPU using 2 cores -- Argon2id with 4 lanes and 6 GiB of RAM.

Frontend server authentication, which takes 0.5 seconds on a 2 GHz CPU using 2 cores -- Argon2id with 4 lanes and 1 GiB of RAM.

Most of these memory suggestions sound unusably high to me. In contrast, the libsodium documentation says there's no 'insecure' memory size but obviously encourages more when possible.

For servers, you should probably opt for server relief to avoid DoS attacks. This involves both client-side and server-side hashing, potentially allowing slightly larger parameters on the client. However, the client-side parameters might have to be limited due to things like mobile devices.

I personally wouldn't go below 32 MiB and would consider 64 MiB a better minimum. However, it should be adjusted based on the hardware/clients for the best security. More memory is better than more iterations.

Many companies (e.g. online password managers) still seem to be avoiding Argon2 and sticking with PBKDF2 over efficiency concerns and JavaScript challenges.

Update - January 9th 2023

Steve Thomas, one of the Password Hashing Competition (PHC) judges, maintains a page with minimum settings for multiple password hashing algorithms, including Argon2. At the time of writing, this is more up-to-date than OWASP recommendations.

Also, in a server context, consider using bcrypt (ideally hmac-bcrypt) instead of Argon2. bcrypt is minimally cache-hard, so it offers better protection at shorter runtimes than Argon2, which is more suited to key derivation like scrypt.

Royce Williams
  • 253
  • 2
  • 8
samuel-lucas6
  • 2,211
  • 9
  • 20
1

In the time since I asked this back in 2018, OWASP have published guidance on Argon2 at https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

At time of writing (Jan 2023), this says:

Argon2id should use one of the following configuration settings as a base minimum which includes the minimum memory size (m), the minimum number of iterations (t) and the degree of parallelism (p).

  • m=37 MiB, t=1, p=1
  • m=15 MiB, t=2, p=1

Both of these configuration settings are equivalent in the defense they provide. The only difference is a trade off between CPU and RAM usage.

Callie J
  • 273
  • 2
  • 8