Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Inconsistent documentation for argon2 default hash options #974

Open
choutianxius opened this issue Feb 26, 2025 · 1 comment · May be fixed by #982
Open

Inconsistent documentation for argon2 default hash options #974

choutianxius opened this issue Feb 26, 2025 · 1 comment · May be fixed by #982

Comments

@choutianxius
Copy link

The actual default options for argon2 hash produces

console.log(hash("123456"));
// $argon2id$v=19$m=19456,t=2,p=1$s8PyJzwJrGsbdsRzx4du5g$2lD5nmjRI3zTeUci5GJoAuVMGV9viplQuEHwG3wT14o

Indicating memoryCost = 19 * 2 ** 10, timeCost = 2, instead of what are suggested in docs:

...The default value is 4096, meaning a pool of 4 MiB per thread.

...The default value is 3.
@kkshinkai
Copy link

I'm also confused about this. 4MiB seems unreasonably low for Argon2 and could easily confuse people or even lead them to make insecure decisions. OWASP’s Password Storage Cheat Sheet recommends 19MiB (at least), so making that the default seems like a better idea.

@choutianxius choutianxius linked a pull request Mar 11, 2025 that will close this issue
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix default argon2 params docs choutianxius/node-rs
2 participants
@kkshinkai @choutianxius