←back to thread

Evaluating Argon2 adoption and effectiveness in real-world software

(arxiv.org)
32 points pregnenolone | 5 comments | 15 Oct 25 06:29 UTC | HN request time: 0.607s | source
1. tialaramex ◴[22 Oct 25 10:39 UTC] No.45667165[source]
"Real-World Software" maybe but not real world effectiveness.

A lot of effort was expended on modelling the hypothetical thing Argon2 is good at, but a reasonable question is: Does that make any real world difference? And my guess is that the answer, awkwardly, is approximately No.

If you use good passwords or you have successfully stopped using passwords in the decades we've known they're a bad idea, Argon2 makes no difference at all over any of the other reasonable choices, and nor does its configuration. If you figure that nobody will remember your password is hunter2 then Argon2 can't help you either. If the attack being undertaken is an auth bypass, Argon2 can't help. If they're stealing credentials, Argon2 can't help.

replies(4): >>45667502 #>>45667528 #>>45668627 #>>45678505 #
2. integralid ◴[22 Oct 25 11:30 UTC] No.45667502[source]
Most people don't use password managers and their passwords are very weak - Argon2 helps here. And even if your use a password that most would consider strong, if something like md5 is used then modern gpsu can do a crazy number of operations per second and have a serious shot at breaking then - Argon2 helps here. Not every programmer knows how to handle passwords properly, and may forget to use salt. Argon2 makes this impossible, and helps here. Finally when comparing to something like bcrypt, improvements are less significant, but improved gpu resistance won't hurt. And bcrypt has weird implementation quirks (password length restriction) that lead to real world vulnerabilities, argon does not.

In short, I disagree.

3. ◴[22 Oct 25 11:32 UTC] No.45667528[source]
4. helpfulclippy ◴[22 Oct 25 13:14 UTC] No.45668627[source]
Strong hashes aren’t so useful for you the individual with a high entropy per-site password… they’re useful for responsible organizations trying to proactively mitigate the impact of a future data breach on users with bad password habits (which is a lot of users).

If ClownCo gets hacked that’s bad. If ClownCo gets hacked and discloses millions of sets of credentials, it is now enabling a new wave of credential stuffing attacks.

5. creatonez ◴[23 Oct 25 05:42 UTC] No.45678505[source]
Most people's passwords are in the category of "moderately weak, but not necessarily leaked to the public". If you are to accept passwords at all, you are responsible for protecting these users who have an expectation that your service is no worse than any other service's ability to protect passwords. There is no way surefire to force users to pick a truly entropic password. So an adequate amount of key stretching is not optional.

In a way, adequate password stretching helps to treat passwords as the toxic sludge they are. The goal is to store them in the most irrecoverable possible format, regardless of the poor decisions of the users who entered those passwords, so that you as the service don't end up being the one making the problem worse.