Page MenuHomePhabricator

Switch WMF production to Argon2 password hashes
Closed, DeclinedPublic

Description

Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.

  • Argon2i requires PHP 7.2
  • Argon2id requires PHP 7.3

We need to determine whether we want to wait for PHP 7.3 to get Argon2id, and determine algorithm parameters (memory cost, time cost and thread count).


Blocked on completion of T176370: Migrate to PHP 7 in WMF production.

Event Timeline

MaxSem created this task.Feb 21 2019, 8:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 21 2019, 8:03 AM

Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.

Its been a while since I read up on these, but I thought Argon2i is meant to resist side-channel leaks relative to other variants of Argon2, not necessarily in comparison to SHA512-PBKDF.

Memory hardness/GPU-resistence would be the big win here. The i variant is still a very significant improvement over SHA512-PBKDF in that category.

FYI: The argon2 paper suggests parameters of 0.5 seconds, 1 GB ram, and 2 threads for password hashing with argon2i. We should probably make our own determinations, and I'm not sure how old the recommendation in the paper is, but at least that's a starting point.

Bawolff edited projects, added Security-Team; removed Security.Feb 21 2019, 6:11 PM
Krinkle updated the task description. (Show Details)EditedMar 26 2019, 4:40 PM
Krinkle added a subscriber: Krinkle.

De'refing the sub tree for now as it's really its own project. Hopefully makes the graph a bit easier to follow and makes space for other sub tasks that are more directly related to this initiative.

This issue is blocked on PHP 7.2 deployment being completed but is not itself a problem to be solved before PHP 7.2+ can be considered adopted/supported.

Meanwhile, PBKDF2 is now considered a "last resort" algorithm (and we're doing only 30K iterations compared to 85K recommended).

MaxSem closed this task as Declined.Jul 2 2019, 2:37 AM

Unfortunately, Argon2 will most likely be broken in a backwards-incompatible way in PHP 7.4: https://wiki.php.net/rfc/sodium.argon.hash

Can't trust it right now.

Unfortunately, Argon2 will most likely be broken in a backwards-incompatible way in PHP 7.4: https://wiki.php.net/rfc/sodium.argon.hash
Can't trust it right now.

I just skimmed the rfc - at first glance it looks like its backwards compatible as long as we specify a non-default cost of at least 3

Rxy added a subscriber: Rxy.Aug 13 2019, 10:57 PM
sbassett moved this task from Backlog to Done on the Security-Team board.Fri, Aug 30, 4:11 PM