Hacker News new | past | comments | ask | show | jobs | submit login
Password with Argon2 Algorithm, the Winner of the Password Hashing Competition (argon2.online)
65 points by jmallone on June 24, 2021 | hide | past | favorite | 15 comments



The competition was in 2015[0].. perhaps the title should include 2015 (when the competition closed and Argon2 won) or should be adjusted to "Argon2 Hash Generator & Verifier" (the name of the linked page - unrelated to the competition)

[0]: https://www.password-hashing.net/


I don't distrust https://www.password-hashing.net/, but I have a hard time gauging its credibility. Why should I trust the results of its password hashing competition?


You shouldn't. You should trust the subsequent research (or lack thereof of results) and compare its record to other similar algorithms.


Why should you trust AES? an algorithm chosen by a competition?


Tbf, NIST has a much bigger reputation, and the aes competition was a much larger affair attracting a large swath of experts.


PHC had some of the biggest names in the crypto field, had NIST representation and multi-stage evaluations with top notch testing.

PHC was far more mature in many ways over AES.


I hear yescrypt is the successor of argon2:

https://www.openwall.com/yescrypt/


Wait, why would it be a successor if they were both in the phc and yescrypt didn't win.


I’ve never heard of the PHC, is it a Big deal?


Well it is the article we are in theory discussing.


Right, so is this some random running their own tests or is this the gold standard of testing these days. I’ve been out of the crypto game for a decade.


Is there any reason not to use Argon2i or Argon2id over Argon2? Non-public side-channel exploits seem inevitable.


"Non-public side-channel exploits seem inevitable" Have to disagree here buddy

Argon2d has better resistance to TMTO and hardware accelerated cracking due to the data-depending memory access.

Side-channels attacks are not practical in many scenarios and won't be the easiest way to extract secrets in them.

Local hashing of any sort without external interaction is better with argon2d for better cracking resistance.

Those are great on paper, but in practice you either have a much easier way to extract those secrets with the amount of access you need for a side channel attack or they are too unreliable to truly leverage.

Many solutions use argon2d with great success.


Why are people giving their IPs and other identifying info to a stranger (by loading a website), then giving them their passwords?

What reason do I have for generating a hash of my password in this context?


I don’t think it’s meant to be used as a legitimate password generator. It’s meant to showcase the knobs you can tweak on the algorithm. It’s a marketing tool.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: