IT-Profis sollten heutzutage schon u.a. auf #Argon2 und/oder #AES setzen, wenn ihr den #online Produkten sicheren Zugang anbietet. In der #Schweiz für die #Regierung und #Polizei scheinbar nicht… grml
«#Cyberangriff – Bund hält trotz Daten-Super #GAU an gehackter #IT-Firma Xplain fest:
Spezialisten vom Bund geben grünes Licht für die weitere Zusammenarbeit mit #Xplain. Diese veröffentlicht neue Details über die #Hacking-Attacke vom letzten Frühjahr.»
https://codeberg.org/valpackett/argon2ian is #argon2 built as #wasm#webassembly for evergreen browsers and #deno, but like, size-optimized for real. Only 8.5 KB for the whole async (web workers powered) JS wrapper, and that's with everything inline, no external file loads at all – completely bundle-able like a normal JS module. No text encoding for the hashes though, just the raw stuff.
p.s. if anyone is interested in cronching some other library like this, you could maybe hire me for such a project :)
High @sc00bz and @epixoip, I recently came across your recommendations not to (blindly) use #Argon2 as a #PHF (but it's a good #KDF) due to this requiring runtimes that make it (usually) inapplicable for password hashing. Or, phrased differently, would require lowering security parameters in order to stay performant, that the security of the hashing would be compromised.
The #Bcrypt article on Wikipedia put forth a similar claim but without any citations and phrased a bit misleading (IMO). I've adjusted the article and added two citations. If you have time, I'd be glad if you could give some feedback on this, as there are only few citable sources on this and I'm by far no expert on the matter:
Edit: I am being ridiculous here: I forgot to run with --release flag. 🤦♂️ So while the performance differences are really there, it’s more like factor four from fastest (just-argon2) to slowest (argon2) implementation.
Interesting conclusion on the state of the #rustlang ecosystem: the only #Argon2 implementation still under active development (argon2) is also by far the slowest one. Unless I mixed up some numbers, it is six times slower than rust-argon2 and four times slower than argon2rs.
The really fast implementations are the ones wrapping the argon2 C library, these haven’t been updated in years however and often provide a really awkward API. While argonautica has non-trivial system dependencies, just-argon2 works without.