[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Argon2 Password Hashing

To: Simon Levermann <simon@slevermann.de>, openldap-devel@openldap.org
Subject: Re: Argon2 Password Hashing
From: Howard Chu <hyc@symas.com>
Date: Tue, 7 Mar 2017 17:31:16 +0000
In-reply-to: <WM!9bf0f5bdb6870da85d80d77c5addfc28ac70eb8a108a3a866f6b4065c4df9685dea835bbca2b395f4a494d0fc0b97a51!@mailstronghold-3.zmailcloud.com>
References: <5c5be76b-f9f2-26a4-e5b4-ab327b1e6c14@slevermann.de> <WM!9bf0f5bdb6870da85d80d77c5addfc28ac70eb8a108a3a866f6b4065c4df9685dea835bbca2b395f4a494d0fc0b97a51!@mailstronghold-3.zmailcloud.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46a2

Simon Levermann wrote:

2) Libsodium exposes an API for random-number-generation. Should I use
this API for generating the salt when using argon2, or should I always
use the openldap-builtin lutil_entropy?

Salts are not sensitive data, they're always stored in the clear anyway. Theonly property they're required to have is to be unique among a givenpopulation of users/passwords. lutil_entropy is preferable just foruniformity, but it's not really critical. You could use anything, as long asyou're not using something like this https://www.xkcd.com/221/ .


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Argon2 Password Hashing
  - From: Simon Levermann <simon@slevermann.de>

Prev by Date: Re: Argon2 Password Hashing
Next by Date: Re: scrypt ASICs - litecoin N, r, p settings - Re: Revisiting the SHA1 default password hash
Index(es):
- Chronological
- Thread