Open pilcrowOnPaper opened 8 months ago
Something else
OWASP recommends that for Argon2id:
Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
and for Bcrypt:
For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
OWASP also have a list of recommended configuration for Argon2id for each iteration as well. Both examples in the docs do not meet these recommendations:
// use argon2 (default) const argonHash = await Bun.password.hash(password, { algorithm: "argon2id", // "argon2id" | "argon2i" | "argon2d" memoryCost: 4, // memory usage in kibibytes timeCost: 3, // the number of iterations }); // use bcrypt const bcryptHash = await Bun.password.hash(password, { algorithm: "bcrypt", cost: 4, // number between 4-31 });
I'm not sure if Bun checks if the password is under 72 bytes when using Bcrypt, but that's another issue
No response
What is the type of issue?
Something else
What is the issue?
OWASP recommends that for Argon2id:
and for Bcrypt:
OWASP also have a list of recommended configuration for Argon2id for each iteration as well. Both examples in the docs do not meet these recommendations:
I'm not sure if Bun checks if the password is under 72 bytes when using Bcrypt, but that's another issue
Where did you find it?
No response