I'm developing a mobile application and in my lay research of the argon2 password hashing algorithm, it seems that (ignoring the key and salt) there are three main parameters:
- iterations
- memory
- parallelism
While it obviously wouldn't make sense to broadcast these, as far as I see it these will unavoidably need to be compiled within the mobile application and a bad actor could figure out these parameters by decompiling the mobile application.
How protective do I need to be of these parameters?
If these parameters need to be protected, how can I obfuscate these parameters or mitigate the threat to a compiled application? Or, alternatively, can these parameters somehow be distributed by a means other than compiled within the mobile app?
You should not be at all protective of your default Argon2 parameters.
Instead, you should be proud of them.
You should choose parameters that maximize resistance to offline brute-force attack if the hashes are leaked. You should be confident enough in the math behind selecting them to post them publicly, as per Kerckhoffs' Principle.