Bcrypt added and argon removed and sequilize reverted

[mustafapc19]

Populate users with register route as old hash may persist in the old database

[jilvin]

Why was argon removed? Isn't argon2 better?

On Sat, Nov 23, 2019, 4:19 PM mustafapc19 notifications@github.com wrote:

---

You can view, comment on, or merge this pull request online at:

https://github.com/ccfcet/karma/pull/58 Commit Summary

• Hash package changed prtotected
• Hash package changed (bcrypt)
• Hash package changed (bcrypt)
• Hash package changed (bcrypt) and revert sequilize version
• Hash package changed (bcrypt) and revert sequilize version

File Changes

• M src/lib/authentication/access_token/index.js https://github.com/ccfcet/karma/pull/58/files#diff-0 (1)
• M src/lib/authentication/authenticate/karma/email_password/password_verifier/index.js https://github.com/ccfcet/karma/pull/58/files#diff-1 (7)
• M src/lib/authentication/package.json https://github.com/ccfcet/karma/pull/58/files#diff-2 (1)
• M src/lib/authentication/set_authentication/index.js https://github.com/ccfcet/karma/pull/58/files#diff-3 (12)
• M src/lib/data/methods/entities/obtainInformation/index.js https://github.com/ccfcet/karma/pull/58/files#diff-4 (1)
• M src/lib/data/package.json https://github.com/ccfcet/karma/pull/58/files#diff-5 (2)
• M src/package-lock.json https://github.com/ccfcet/karma/pull/58/files#diff-6 (349)
• M src/package.json https://github.com/ccfcet/karma/pull/58/files#diff-7 (1)
• M src/routes/private/index.js https://github.com/ccfcet/karma/pull/58/files#diff-8 (2)

Patch Links:

• https://github.com/ccfcet/karma/pull/58.patch
• https://github.com/ccfcet/karma/pull/58.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ccfcet/karma/pull/58?email_source=notifications&email_token=AFBI3ATXPN43AIKKFYSFZZTQVEDE7A5CNFSM4JQZUVHKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4H3RU65Q, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBI3ARWVFXEHTQT2IZHVOLQVEDE7ANCNFSM4JQZUVHA .

[mustafapc19]

Argon is slow. It was taking 5 seconds just to hash. While bcrypt hashes in below 1 second.

[jilvin]

I think it was intentional. Can you read on before you merge?

On Sat, Nov 23, 2019, 4:31 PM mustafapc19 notifications@github.com wrote:

Argon is slow. It was taking 5 seconds just to hash. While bcrypt hashes in below 1 second.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ccfcet/karma/pull/58?email_source=notifications&email_token=AFBI3AXREPJR556REYDN7ILQVEEQVA5CNFSM4JQZUVHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEE7SYJQ#issuecomment-557788198, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFBI3ASNAJ2IQ3VFDA7ON73QVEEQVANCNFSM4JQZUVHA .

[mustafapc19]

I have read on.I dont think relativly weak password hash will be that big of a deal as server will be hanging all the time under argon. I think its a good compromise. My friend ka laptop hangs when he accesses login api :smile:

[jilvin]

You can try tweaking the parameters when you guys get time. There will be a trade off anyway but argon2 was specifically designed against some known attacks.

[mustafapc19]

I tried the default setting but it was slow as well. And to brute force wont they need to know the password before hand? So I dont think it will a big deal based. And the time delay is pain in ass for development. Might change before shipping maybe. Idk