Switch to Argon2id - Githubissues

paolostivanin / OTPClient

Highly secure and easy to use OTP client written in C/GTK3 that supports both TOTP and HOTP

GNU General Public License v3.0

457 stars 47 forks source link

Switch to Argon2id #358

Open elliotwutingfeng opened 3 months ago

elliotwutingfeng commented 3 months ago

Would you be open to switching to Argon2id over 100k iterations of PBKDF2? It would provide better protection for weaker vault passwords.

paolostivanin commented 3 months ago

Sure, I'll think about it. I need to check whether this enhancement is worth the time and effort. I may even think to make this customizable, but then it would require a DB change :thinking: No idea, let's see with what I will come up with.

paolostivanin commented 1 month ago

This change would require libgcrypt version >= 1.10.1 which cannot be found, for example, on Ubuntu <23.10 and openSUSE Leap <=15.5. If I decide to implement this change, it will have to be configurable in order to support older distros.

paolostivanin commented 6 days ago

The switch to Argon2id will happen. I have yet to figure out some minor design things, but it will likely happens before end of summer.

paolostivanin commented 1 day ago

To-Do:

[ ] change db format to support configurable security
[ ] make db security configurable
[ ] switch to argon2id by default