Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104953
Return-Path: <php@golemon.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 20828 invoked from network); 26 Mar 2019 05:24:52 -0000
Received: from unknown (HELO mail-qt1-f180.google.com) (209.85.160.180)
  by pb1.pair.com with SMTP; 26 Mar 2019 05:24:52 -0000
Received: by mail-qt1-f180.google.com with SMTP id d13so8170554qth.5
        for <internals@lists.php.net>; Mon, 25 Mar 2019 19:18:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=YEQC6uBBsfEzBCNGMjkL1VhP7QM1xZ3F9VY7wcHww7M=;
        b=Fw/xv3QyK92zjhwomsaZsGUgKTLSlGWrHmwq0kfcUqYGcz1ZfTuDiRs9NhMduHE5wG
         C4HC4nCC4+q+B3FwJDMvo/lOo6cE83X4ULtsZiX2zgNdBtOtgBHZuyDv5nfyKAcoNUMQ
         wvhyP2kVVwbJrmT5F7DsgSdorqY36QSWP7k0FG/FHCYb2OtkU2NJBoMWBMPg39OoWJVb
         0noB0k+ofBYHGYBAn81MnTx8DOzFiMN/Aahc7mEUR7S+BxHCcOCM36JX+zVGdmfwoCUF
         KR4JU36I9GA6OFaZ7GUD+1zsGjs7BB1UtontjSpZnjXi37LbEQfBrcYqTiPHlkzcIthQ
         WDog==
X-Gm-Message-State: APjAAAUFYidXfHOBjPTpvTePFghHd/bBWWm67I1P8oEhKwW+8Fxml5s6
	tWMuJ2Kyyu8+KPfg+DIIWw63ikPZUz8RoYQaL+9V0CQnCQY46w==
X-Google-Smtp-Source: APXvYqz4JipRyjtP3Vk4vuK8judEQdGUEecs6sB0q3Bc8rHqjx1zdFtBcmuLy2zn0JjiBBiQ3ud5uU68Sul5mnKqDxQ=
X-Received: by 2002:a0c:99e2:: with SMTP id y34mr23453076qve.18.1553566689191;
 Mon, 25 Mar 2019 19:18:09 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 25 Mar 2019 21:17:58 -0500
Message-ID: <CAESVnVpohz_i+NddFetU9LxrBh=d7FpnK6f=suXgKjUtBwDVqg@mail.gmail.com>
To: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000a4fcbe0584f5ee06"
Subject: Argon2 default time cost
From: pollita@php.net (Sara Golemon)

--000000000000a4fcbe0584f5ee06
Content-Type: text/plain; charset="UTF-8"

In sitting down to expose libsodium's argon2i password hashing function via
password_hash(), I discovered two things.

The first is that it doesn't seem to support Argon2id for password storage
the way we use it in password_hash().  Bummer, but that's a conversation to
have with Frank, and there's nothing we can do about it for the foreseeable
future.

The second is that crypto_pwhash_str() and crypto_pwhash_str_verify()
reject any attempt to use a "time_cost" value less than three.  Wanna guess
what our default time_cost value is?  That's right, it's two.

So that's a long winded way of asking, does anyone see an issue with upping
the default time cost for argon2 to a higher number? (e.g. "3")  This will
ensure that the following actually works as expected and doesn't give users
confusing result and more importantly, allows us to use sodium to back
argon hashing interchangeably with the more lenient libargon.

$hash = password_hash("Foo", PASSWORD_ARGON2I);
var_dump(sodium_crypto_pwhash_str_verify($hash, "Foo")); // currently
FALSE, due to t < 3.

The only negative impact is that password hashing becomes a slightly more
expensive task.  Where "slightly" means 3ms instead of 2ms on my Linux VM
running on my 2 core Mac laptop.

-Sara

--000000000000a4fcbe0584f5ee06--