Closed jmanico closed 3 years ago
Awesome idea @jmanico go for it :)
I talking to a few of the worlds top experts on this topic - as soon as I am done with my research I'll make this happen!
That is for Argon2id and Argon2i needs t≥3
because of an attack. Also https://password-hashing.net/argon2-specs.pdf has not been updated to Argon2 version 1.3.
The formulas to get <10 kH/s on an RTX 3080:
Argon2i: m≥74219/(3*t-1)*α+4*p-1, t≥3, p=1
Argon2{id,d}: m≥74219/(3*t-1)*α+4*p-1, t≥1, p=1
74219
comes from RTX 3080's bandwidth of 760 GB/s (74,218.75 = 760,000,000,000/10,000/1024
).
3*t-1
is how many times the memory is read or written. Twice on the first round (write sequential and read random) then three times from then on (write sequential, read sequential, and read random).
α
is the efficiency of bandwidth usage. Ideal for an RTX 3080 is about 97% (32/33). You can just ignore it and use α=1
.
The 4*p-1
is to round up because you can set m
to any number and it will round down to the nearest multiple of 4*p
. Also it real doesn't matter.
So you can just use the simplified version of m≥74219/(3*t-1)
. Also you could just state the following as good settings:
Argon2{id,d}: m=37112, t=1, p=1
Argon2{id,d}: m=14844, t=2, p=1
Argon2: m=9280, t=3, p=1
Argon2: m=6748, t=4, p=1
Or round up to the nearest MiB:
Argon2{id,d}: m=37 MiB, t=1, p=1
Argon2{id,d}: m=15 MiB, t=2, p=1
Argon2: m=10 MiB, t=3, p=1
Argon2: m=7 MiB, t=4, p=1
For authentication you should use p=1
because a lot of people are running a VPS with a single CPU core. Even if not, one could benchmark this and think they can go higher on settings than they should because they are not thinking about throughput. Also with memory hard algorithms, it would be wise to limit the number of simultaneous instances of Argon2. An attacker can likely send more requests per second than a server to do. Which will make the server exhaust all memory if there isn't a limit.
This is immensely helpful. I'm going to integrate your suggestions immediate and reference the PR for your review. Thank you!
@Sc00bz I integrated your comments into the cheatsheet, if you want anything changed or added please let me know. I made minimal changes and can add more if you feel it's valuable.
https://github.com/OWASP/CheatSheetSeries/commit/649429bdaab39019f5a7fc3e30487557644990aa
@Sc00bz would you like me to cite you as a reference in the document? I want to make sure you are getting proper credit. What would you like?
I would like to give clear guidance on how to tune Argon2i. I am inclined to go with https://tools.ietf.org/html/draft-ietf-kitten-password-storage-03#section-5.1.
Any thoughts here?