[wp-trac] [WordPress Trac] #39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3

WordPress Trac noreply at wordpress.org
Fri Jan 6 20:29:40 UTC 2017


#39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
------------------------------------------+------------------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:
     Type:  enhancement                   |      Status:  new
 Priority:  normal                        |   Milestone:  Awaiting Review
Component:  Security                      |     Version:  trunk
 Severity:  normal                        |  Resolution:
 Keywords:                                |     Focuses:
------------------------------------------+------------------------------

Comment (by mmaunder):

 Moving to a GPU resistant hashing algorithm would be a huge improvement
 for WP. So as a general idea I fully support this and I think many others
 do too.

 Argon2 is a relatively new algorithm. Are any other widely used projects
 using it yet? Would WP be the early adopter here?

 This provides some benchmarks: https://github.com/P-H-C/phc-winner-argon2

 I'm interested in what a real-world configuration/usage of Argon2 would
 look like that would be WP hosting environment friendly. I would say that
 a few reasonable assumptions are:

 You will only have 1 CPU core available.
 You should not use more than 10MB of memory.
 Hashing should not take longer than 0.5 seconds or it affects the user
 experience.

 Is it possible to use Argon2 within these constraints and still be GPU
 resistant?

 Last question: Can you talk about your choice of Argon2i over Argon2d?
 Keep in mind your audience includes non-infosec and non-crypto people.

 Thanks for starting the conversation Scott!!

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39499#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list