(By the way, create_user uses a 30-byte salt, but set_password only uses a 10-byte salt. That seems...weird, and RFC9106 section 3.1 recommends 16-byte salts.)
Going through the rust-argon2 crate, we can see in a test that the defaults are configured to Argon2i, m=4096, t=3, p=1 (the mem_cost, time_cost and lanes parameters).
However, the OWASP guidelines that match most closely suggest that Argon2id, m=12288, t=3, p=1 should be used instead. One blog agrees with these values, although another (see "Password Hashing") recommends Argon2id, m=65536, t=3, p=1.
Either way, even though I'm no cryptographer, I think there's a consensus here that the defaults of the rust-argon2 crate are not secure enough. While I'm aware that there's a 0.5 major version in the works, it would be nice if you could release a 0.4.1 with the defaults improved.
I was going through this crate to decide whether I should use it for a personal project, and I noticed that the
rust-argon2
defaults are used:https://github.com/tvallotton/rocket_auth/blob/1a7011fd6d2e8b818fbc0e504135d11212472409/src/user/users.rs#L201-L208 https://github.com/tvallotton/rocket_auth/blob/1a7011fd6d2e8b818fbc0e504135d11212472409/src/user/user_impl.rs#L26-L34
(By the way,
create_user
uses a 30-byte salt, butset_password
only uses a 10-byte salt. That seems...weird, and RFC9106 section 3.1 recommends 16-byte salts.)Going through the
rust-argon2
crate, we can see in a test that the defaults are configured toArgon2i, m=4096, t=3, p=1
(themem_cost
,time_cost
andlanes
parameters).However, the OWASP guidelines that match most closely suggest that
Argon2id, m=12288, t=3, p=1
should be used instead. One blog agrees with these values, although another (see "Password Hashing") recommendsArgon2id, m=65536, t=3, p=1
.Either way, even though I'm no cryptographer, I think there's a consensus here that the defaults of the
rust-argon2
crate are not secure enough. While I'm aware that there's a0.5
major version in the works, it would be nice if you could release a0.4.1
with the defaults improved.