Page MenuHomePhabricator

Switch WMF production to Argon2 password hashes
Open, Needs TriagePublic

Description

Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.

  • Argon2i requires PHP 7.2
  • Argon2id requires PHP 7.3

We need to determine whether we want to wait for PHP 7.3 to get Argon2id, and determine algorithm parameters (memory cost, time cost and thread count).

Related Objects

StatusAssignedTask
OpenNone
OpenNone
ResolvedMoritzMuehlenhoff
ResolvedMoritzMuehlenhoff
ResolvedMoritzMuehlenhoff
ResolvedMoritzMuehlenhoff
ResolvedNone
ResolvedQuiddity
ResolvedLadsgroup
ResolvedJoe
ResolvedLegoktm
ResolvedLegoktm
Resolvedhashar
Resolvedhashar
Resolvedssastry
ResolvedSmalyshev
ResolvedLegoktm
OpenKrinkle
Opentstarling
OpenNone
ResolvedNone
OpenNone
ResolvedNone
ResolvedDzahn
ResolvedRobH
ResolvedCmjohnson
ResolvedMoritzMuehlenhoff
ResolvedPapaul
ResolvedSmalyshev
Resolvedjcrespo
ResolvedJdforrester-WMF
Resolvedaaron
ResolvedJoe
ResolvedJoe
ResolvedKrinkle
ResolvedBPirkle
ResolvedJoe
ResolvedJoe
OpenNone
ResolvedJoe
ResolvedAnomie
ResolvedAnomie
OpenNone
ResolvedTgr
Resolvedjijiki
OpenMoritzMuehlenhoff
OpenArielGlenn
OpenNone
OpenNone

Event Timeline

MaxSem created this task.Thu, Feb 21, 8:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Feb 21, 8:03 AM

Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.

Its been a while since I read up on these, but I thought Argon2i is meant to resist side-channel leaks relative to other variants of Argon2, not necessarily in comparison to SHA512-PBKDF.

Memory hardness/GPU-resistence would be the big win here. The i variant is still a very significant improvement over SHA512-PBKDF in that category.

FYI: The argon2 paper suggests parameters of 0.5 seconds, 1 GB ram, and 2 threads for password hashing with argon2i. We should probably make our own determinations, and I'm not sure how old the recommendation in the paper is, but at least that's a starting point.

Bawolff edited projects, added Security-Team; removed Security.Thu, Feb 21, 6:11 PM