[GH-ISSUE #1673] argon2 support #1315

New issue

Closed

opened 2026-02-27 11:16:29 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 11:16:29 +03:00

Owner

Originally created by @Arvedui on GitHub (Feb 11, 2019).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/1673

From the django docs:

Argon2 is the winner of the 2015 Password Hashing Competition, a community organized open competition to select a next generation hashing algorithm. It’s designed not to be easier to compute on custom hardware than it is to compute on an ordinary CPU.

As indicated django supports argon2 and dovecot does as well.
Unfortunately passlib only supports argon2i, not argon2id. The later seems to be the better one for general use. And since passlib upstream seems to have died in 2017 I would not bet on them implementing it anytime soon. There is even a working patch which was completely ignored.
However argon2-cffi, which is the preferred argon2 backend of passlib, does support argon2id and defaults to it. It is quite high level as well so it would be pretty easy to implement.

I could do it myself if there is no objection against using argon2-cffi.

Originally created by @Arvedui on GitHub (Feb 11, 2019). Original GitHub issue: https://github.com/modoboa/modoboa/issues/1673 [From the django docs:](https://docs.djangoproject.com/en/1.11/topics/auth/passwords/#using-argon2-with-django) > Argon2 is the winner of the 2015 Password Hashing Competition, a community organized open competition to select a next generation hashing algorithm. It’s designed not to be easier to compute on custom hardware than it is to compute on an ordinary CPU. As indicated django supports argon2 and [dovecot](https://wiki.dovecot.org/Authentication/PasswordSchemes) does as well. Unfortunately passlib only supports argon2i, not argon2id. The later seems to be the better one for general use. And since passlib upstream seems to have died in 2017 I would not bet on them implementing it anytime soon. There is even a working patch which was completely ignored. However argon2-cffi, which is the preferred argon2 backend of passlib, does support argon2id and defaults to it. It is quite high level as well so it would be pretty easy to implement. I could do it myself if there is no objection against using argon2-cffi.

kerem

2026-02-27 11:16:29 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-02-27 11:16:30 +03:00

Author

Owner

@tonioo commented on GitHub (Feb 25, 2019):

@Arvedui That's a good idea and there is no objection against using argon2-cffi ;)

@tonioo commented on GitHub (Feb 25, 2019): @Arvedui That's a good idea and there is no objection against using argon2-cffi ;)

kerem commented

2026-02-27 11:16:30 +03:00

Author

Owner

@Arvedui commented on GitHub (Mar 1, 2019):

Great!

One thing though:
argon has 3 parameters

number of iterations
size of memory used
number of threads

The libraries defaults are sensible as far as I can tell, but they should be tweak able.
Would it be acceptable if that could only be done in settings.py?

@Arvedui commented on GitHub (Mar 1, 2019): Great! One thing though: argon has 3 parameters - number of iterations - size of memory used - number of threads The libraries defaults are sensible as far as I can tell, but they should be tweak able. Would it be acceptable if that could only be done in settings.py?

kerem commented

2026-02-27 11:16:30 +03:00

Author

Owner

@tonioo commented on GitHub (Mar 1, 2019):

@Arvedui I think so, we just need to provide acceptable default values.

@tonioo commented on GitHub (Mar 1, 2019): @Arvedui I think so, we just need to provide acceptable default values.

kerem referenced this issue

2026-02-27 12:09:48 +03:00

[PR #1315] [MERGED] Added greek translation. #2186