Skip to content

[6.x] Update the default Argon2 options #5788

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 1, 2022
Merged

[6.x] Update the default Argon2 options #5788

merged 1 commit into from
Feb 1, 2022

Conversation

claudemarson
Copy link

I noticed 2 problems with the default Argon2 options.

Argon2 options may be dated

When first introduced, the indicated values for memory cost, time cost and threads for Argon2 hashing was the same as defined in their PHP constant counterparts. However, they have since been updated in PHP bug #78269, where the old defaults are called "weak".

New values are as follows:

'argon' => [
    'memory' => 65536,
    'threads' => 1,
    'time' => 4,
],

Argon2 threads option is lowered further on RHEL

A second issue arises when using the old values on PHP supplied from Remi's RPM repository, e.g. on RHEL. For creating new hashes, PHP here relies on libsodium (on PHP version 7.4 onwards), which does not support a thread value > 1.

As a result, the threads options is lowered from 2 to 1 when generating a new password hash in Laravel 6.

>>> config('hashing.argon.memory')
=> 1024
>>> config('hashing.argon.time')
=> 2
>>> config('hashing.argon.threads')
=> 2
>>> Illuminate\Support\Facades\Hash::make('password')
=> "$argon2id$v=19$m=1024,t=2,p=1$RYHaLaomzQJndI6JwX3QsQ$09pfe8PsWhTY7AgoDBivE/Fr+Jhb5wdjN73U4I9n1ls"

This may not affect a lot of people, but updating the Argon2 options to the values now used by PHP can easily fix this. It would also bring Laravel's Argon2 options back in line with PHP's.
Site admins may then want to check if they have stored any password hashes affected by this and have to decide whether or not to reset the users' passwords.

@taylorotwell taylorotwell merged commit 13e5d27 into laravel:6.x Feb 1, 2022
@claudemarson claudemarson deleted the 6.x branch February 1, 2022 20:15
@GrahamCampbell GrahamCampbell changed the title Update the default Argon2 options [6.x] Update the default Argon2 options Feb 2, 2022
@driesvints
Copy link
Member

@claudemarson you sent this in to 6.x which isn't supported anymore. I'm gonna port this to 8.x, thanks!

@claudemarson
Copy link
Author

My plan was to target 6.x due to its security aspect. The docs claim that 6.x still gets security fixes.

You ported it to 8.x, it just needs to get merged into the master branch for 9.x too.

ramdanegie pushed a commit to ramdanegie/laravel that referenced this pull request Apr 5, 2025
@claudemarson
Update the default Argon2 options (laravel#5788)
aa568f9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@claudemarson @driesvints @taylorotwell