←back to thread

Evaluating Argon2 adoption and effectiveness in real-world software

(arxiv.org)
32 points pregnenolone | 2 comments | 15 Oct 25 06:29 UTC | HN request time: 0s | source
1. atoav ◴[22 Oct 25 16:39 UTC] No.45671710[source]
For a university self service portal that was a green field project I selected Argon2 as the password hashing algorithm. For evaluation I went pretty deep into how to implement password storage myself, to then opt for OpenLDAP, which we use now.

I really liked what I saw there. Argon2 has some adjustable settings for hash complexity that allow you to select your own tradeoff between cracking resistance and resource use. And not only that Argon2 provides everything needed to rehash on the fly when these setting change, which makes it really future-proof.

The (offical) argon2 libraries I used were all well written and documented, the integration into OpenLDAP very straight-forward. One painpoint we had was with OpenRadius, that instead of just asking the LDAP server to check a password decides to read the hash from LDAP and then try to verify it. And of course Argon2 is not supported..

We found another better alternative way of achieving the same, without OpenRadius. I don't really know the details here, but as of now (3 years in) we are still very happy with the choice.

replies(1): >>45678593 #
2. creatonez ◴[23 Oct 25 05:55 UTC] No.45678593[source]
> And not only that Argon2 provides everything needed to rehash on the fly when these setting change, which makes it really future-proof.

Argon2 itself doesn't necessarily provide this. Rather, this comes from convention and best practices implemented in various password libraries. The unix `crypt` syntax (`$id$rounds=yyy$salt$encrypted`) has been adapted for use with PBKDF2, bcrypt, scrypt, Argon2, etc. by a handful of libraries, and helps you store the algorithm and parameters in the same string so that having multiple formats and updating old ones is trivial. But it's not required for Argon2 implementers and was never mentioned in the original paper - the algorithm itself just specifies a function that returns raw bytes.

It's definitely nice to have, though. For the purpose of password hashing (which isn't necessarily the only thing Argon2 is good for), I wouldn't use a library that didn't have some sort of hash upgrade helper.