[wp-trac] [WordPress Trac] #39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
WordPress Trac
noreply at wordpress.org
Fri Jan 6 20:29:40 UTC 2017
#39499: Migrate Password Hashing from 8192 rounds of salted MD5 to Argon2i v1.3
------------------------------------------+------------------------------
Reporter: paragoninitiativeenterprises | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version: trunk
Severity: normal | Resolution:
Keywords: | Focuses:
------------------------------------------+------------------------------
Comment (by mmaunder):
Moving to a GPU resistant hashing algorithm would be a huge improvement
for WP. So as a general idea I fully support this and I think many others
do too.
Argon2 is a relatively new algorithm. Are any other widely used projects
using it yet? Would WP be the early adopter here?
This provides some benchmarks: https://github.com/P-H-C/phc-winner-argon2
I'm interested in what a real-world configuration/usage of Argon2 would
look like that would be WP hosting environment friendly. I would say that
a few reasonable assumptions are:
You will only have 1 CPU core available.
You should not use more than 10MB of memory.
Hashing should not take longer than 0.5 seconds or it affects the user
experience.
Is it possible to use Argon2 within these constraints and still be GPU
resistant?
Last question: Can you talk about your choice of Argon2i over Argon2d?
Keep in mind your audience includes non-infosec and non-crypto people.
Thanks for starting the conversation Scott!!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39499#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list