[lighthawk]

Instead of just recommending one across the board, I wish they'd be specific about the requirements required for it to be considered the best choice. For example, is it the best choice for computing a hash on a RPi A+ that has a max of 256MB memory?

Also, the benchmark it includes only benchmarks Argon2. Would be nice to have a benchmark that compares it to a variety of commonly-used hashing algorithms that could be run on lower-end systems along with a way to report them, then those reports could be collected and published.

I also worry when I read something that sounds like whitepaper-speak in something trying to pass itself off as a scientific paper:

"Our solution We offer a hashing scheme called Argon2. Argon2 summarizes the state of the art in the design of memory-hard functions. It is a streamlined and simple design. It aims at the highest memory filling rate and effective use of multiple computing units, while still providing defense against tradeoff attacks. Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors."

[tptacek]

Most of the motivation of a password hash function derives from the attacker's resources, not the defender's. Realistic designs will nod to the defender's constraints (Argon2 is designed to work especially well from x86), but the bulk of the design work is in thwarting attacks launched from optimal hardware dedicated entirely to the proposition of breaking that hash.

So it's not entirely a great idea to try to find a password hash optimized for e.g. low-power ARM applications. You should just use Argon2 (in a new design, if the reference code works for you), or bcrypt/scrypt/PBKDF2 if you don't have good code for Argon2.

[lighthawk]

Following that, wouldn't the best idea be to increase the requirements such that you need something ridiculously intense to compute it, like a Tianhe-2? Something that requires more intense hardware may be the best algorithm, but at some point you need something practical.

If all other methods are insecure, then you wouldn't want to encourage those and would want to warn others. But, is it really that much more secure than the others?

[stouset]

You can do this in practice by simply increasing the cost parameters. Actually requiring this would be a fantastic way of authoring a spec that nobody uses in practice. The point of a password hashing function is not to simply produce the hardest possible hashes to crack — it's to do so given the resources the defender has available to allocate.

[lighthawk]

> it's to do so given the resources the defender has available to allocate.

That's my point exactly.

For any popular currently-sold piece given hardware, it would be nice to know which algorithm should be used rather than to just say, "This is better. Use this which requires better hardware."

Don't get me wrong. I appreciate all of the work, but there are people that run on hardware that isn't as capable, so I think making blanket statements about what's best may not be the right idea. Qualify it at least.

[tptacek]

I think you're missing a subtlety of the design here. When we talk about the hardware it takes to "run" these constructions, we are (mostly) talking about the requirements we impose on attackers.

Argon2 will work fine on your RPi A+.

[lighthawk]

Cool.

So, when it states, "Argon2 is optimized for the x86 architecture and exploits the cache and memory organization of the recent Intel and AMD processors," and "We recommend Argon2 for the applications that aim for high performance. Both versions of Argon2 allow to fill 1 GB of RAM in a fraction of second, and smaller amounts even faster," that does not indicate that Argon2 might not be the best choice for something like a RPi A+? Because that confused me. It really seemed like something that assumes better hardware to be a good choice.

[cm2187]

But wouldn't the problem be that you would be exposed to a DDOS attack? All the attackers would need to do is to try to login many times to your servers and they would be buried calculating hashes.

[mentat]

One of the ways for embedded devices to address this is require a hardware resident key is part of the hashing process (handled in hardware). Otherwise, if someone can get the hashes, you're not going to be able to find cost factors that provide good user experience and are also resistant to off device attacks.

[tptacek]

I think I'm having trouble coming up with the embedded hardware use case that requires real-time validation of lots and lots of different passwords. Because if all you have is a couple of passwords, you have a lot more wiggle room for your hash performance than most Rails apps do.

[bradleyjg]

Wouldn't a (high entropy) shared secret be more appropriate authentication scheme for connecting to a low power device like that?

[stouset]

This is entirely dependent on whatever thing you're trying to build.