Open pilcrowOnPaper opened 8 months ago
Something else
OWASP recommends that for Argon2id:
Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
and for Bcrypt:
For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
OWASP also have a list of recommended configuration for Argon2id for each iteration as well. Both examples in the docs do not meet these recommendations:
// use argon2 (default) const argonHash = await Bun.password.hash(password, { algorithm: "argon2id", // "argon2id" | "argon2i" | "argon2d" memoryCost: 4, // memory usage in kibibytes timeCost: 3, // the number of iterations }); // use bcrypt const bcryptHash = await Bun.password.hash(password, { algorithm: "bcrypt", cost: 4, // number between 4-31 });
I'm not sure if Bun checks if the password is under 72 bytes when using Bcrypt, but that's another issue
No response
argosphil
commented
4 months ago argosphil
commented
4 months ago
What is the type of issue?
Something else
What is the issue?
OWASP recommends that for Argon2id:
and for Bcrypt:
OWASP also have a list of recommended configuration for Argon2id for each iteration as well. Both examples in the docs do not meet these recommendations:
I'm not sure if Bun checks if the password is under 72 bytes when using Bcrypt, but that's another issue
Where did you find it?
No response