Hi Marc,
To be clear, I think we shouldn't make Argon2 the default just yet. I
would rather add it as an option for now and make it the default in a
later release. However, I would like to discuss what would block making
Argon2 the default already.
> It is once per user, but it's once for *EVE
It is once per user, but it's once for *EVERY* user when that scenario
occurs. That could easily bring a site down if sessions were invalidated or
you have short session times. It's far too likely someone will have
serious, hard to debug problems as a result of this magical behaviour.
I also stron
I may not understand the security implications here properly, but as far as I can tell there isn't a strong enough case that Argon2 is fundamentally better than PBKDF2 yet?Barring any weakness in Blake2 we do not know about, Argon2 is way better than PBKDF2 as it is memory-hard. The gap between SH
I may not understand the security implications here properly, but as far as
I can tell there isn't a strong enough case that Argon2 is fundamentally
better than PBKDF2 yet? At least no more than people's arguments that
BCrypt is better. I think retaining the simple out of the box experience
where y
Hi all,
The PR[1] that adds Argon2 as a PasswordHasher is ready to be merged. It does
not make Argon2 the default. The reasons not to make it the default are:
1. Argon2 is young. (Its design, though, is uncontroversial.)
2. Argon2 requires C-bindings and thus does not work on every platform D
Hynek weighted in[1]. I think the PR is ready to merge.
Best wishes,
Bas
[1] https://github.com/django/django/pull/5876#issuecomment-168411156
> On 27 Dec 2015, at 13:39, Florian Apolloner wrote:
>
> I do not see anything wrong in the PR and there is probably no reason not to
> include i
I do not see anything wrong in the PR and there is probably no reason not
to include it. It would be great if you could get feedback from dstufft
and/or hynek in #cryptography-dev -- not that we miss something.
Cheers,
Florian
On Sunday, December 27, 2015 at 12:36:02 AM UTC+1, Bas Westerbaan wr
Hello,
This morning I submitted a Pull Request[1], which adds a PasswordHasher for
argon2 – the winner of the Password Hashing Competition.[2] Tim Graham
mentioned I should send an e-mail to this list to discuss it.
The patch is mostly pretty straight-forward. I would like to add a few
remar
