Auto calibrate in production environment

[Ralf1108]

While testing your application to find out the best parameters for the production servers I had the problem that the production environment could change over time. That means that when the technology and the hosting environments becomes more powerful these paramters have to be adjusted as well.

My idea: Using your code the production server could calibrate itself:

1. If the server detects that the Argon2 calculation takes less than a threshold (e.g. 30%) from the desired time (e.g. 1 sec) this could be a good indicator that the hardware changed.
2. If the calculation time went down the server could start a calibration task or queue for next startup to find the best parameters via your code. Calibration should be done in max 2-5 minutes.
3. The new found parameters will be used for the sneaky migration of the existing passwords. Whenever a user logs in and authenticate correctly the password could then be recalculated with Argon2 and the new parameters and stored in the database. So over time the password protection increases automatically without any maintenance.
4. In case the hardware gets slower that means the calculation time for Argon2 goes up then nothing will be done because we don't want to weaken the password protection.

What do you think?

[bburman]

I think that you have some neat ideas and would be excited to see what you do with them. I do have a few comments.

1. You could probably simplify this by just taking a thumbprint of the hardware that the algorithm depends upon (e.g., memory, processor count, speed, GPUs, etc.) I'm not going to pretend that I know all of the ins and outs of the algorithm, but I usually like to keep things simple and only introduce complexity when necessary. Hardware doesn't change that much in my experience.
2. Calibration will be a very system intensive operation, so you'll make sure you schedule it in a down time.
3. Yes, you are very correct. If you intend on changing the parameters dynamically, then you'll definitely want to store the parameters so that you can calculate the correct hash. I like your sneaky migration, but it will unfortunately probably increase the latency of login. You may want to simply rely on changing it the next time the password expires, or force it to expire early.
4. If hardware gets slower, you could definitely have a negative impact on the system. You could very easily double the required time. You may need to weaken the protections in this case.

Keep me apprised on what you're doing. It sounds pretty cool!