Argon2 Password Hashing Parameter Security

818 views Asked by At

I'm developing a mobile application and in my lay research of the argon2 password hashing algorithm, it seems that (ignoring the key and salt) there are three main parameters:

  • iterations
  • memory
  • parallelism

While it obviously wouldn't make sense to broadcast these, as far as I see it these will unavoidably need to be compiled within the mobile application and a bad actor could figure out these parameters by decompiling the mobile application.

How protective do I need to be of these parameters?

If these parameters need to be protected, how can I obfuscate these parameters or mitigate the threat to a compiled application? Or, alternatively, can these parameters somehow be distributed by a means other than compiled within the mobile app?

2

There are 2 answers

0
Royce Williams On BEST ANSWER

You should not be at all protective of your default Argon2 parameters.

Instead, you should be proud of them.

You should choose parameters that maximize resistance to offline brute-force attack if the hashes are leaked. You should be confident enough in the math behind selecting them to post them publicly, as per Kerckhoffs' Principle.

2
martinstoeckli On

There is no need to protect those parameters, the security does not depend on them to be secret.

Even more you need them to verify a user entered password, so it is necessary to store them along with the stored password hash (usually they become part of the password-hash). Storing the parameters together with each hashed password allows to adapt the parameters in future (for faster hardware), and still be able to verify older passwords, which where hashed with lower parameters.