RFC is no longer a draft (RFC9106); default parameter choice out of date about argon2-cffi HOT 4 CLOSED

It may also be useful to set some flag for which set of default parameters may be preferred.

Some possible implementations:

1. Boolean reduced_memory. Causes defaults to be overwritten by reduced memory defaults.
2. Passing a parameter object. Could be part of the constructor and override defaults or separate from constructor as a class method:

   class PasswordHasher:
       ...
       @classmethod
       def with_default_parameters(cls, parameters: Parameters) -> PasswordHasher:
           # note: DefaultParameters and LowMemoryDefeaultParameters objects
           # would need to be defined elsewhere
           return PasswordHasher(
               time_cost=parameter.time_cost,
               ...
           )

   (This isn't a complete implementation, as it doesn't allow for parameter override --- just a proof of concept)
3. LowMemoryPasswordHasher child class.

from argon2-cffi.

Hi Brendan, sorry for the long silence. When you opened this issue I was traveling (!!!!) and I've been procrastinating on a release ever since because it's a big topic.

I think the best way forward is making the low-mem case the default and allow to create hashers from Parameters as per your option 2.

It was so clear that they had to publish the final version a few days after I published a basically non-release. 🤪

from argon2-cffi.

I think the best way forward is making the low-mem case the default and allow to create hashers from Parameters as per your option 2.

Would this provide a default high memory Parameters object? e.g. something like

from argon2 import PasswordHasher, HighMemoryParameters

high_mem_hasher = PasswordHasher.from_parameters(HighMemoryParameters)

from argon2-cffi.

Yeah, I’d supply both RFC options at least. Maybe additionally the current defaults for people who want to keep them. Could live in a separate module argon2.profiles.RFC9106HighMemory or something.

from argon2-cffi.