Two things I would like to mention:
First, there is this issue about redesigning Comeonin. I can see arguments for and against the proposed changes, and I would welcome any feedback you might have. As Comeonin is widely used, I want to get as much feedback as I can before making a final decision.
Second, I have set up a patreon page to accept donations. I would like to stress that Comeonin, and the other libraries I maintain, are offered free of charge, but there are times when I cannot spend as much time on them as I would like. If I can receive some financial support, then I will be able to invest more time in their development.
6 Likes
Version 5 has been released.
This version is an update based on this issue. Comeonin now provides two behaviours, Comeonin and Comeonin.PasswordHash, which can then be implemented by password hashing libraries.
Together with this update, argon2_elixir and bcrypt_elixir have been updated to version 2.0, and pbkdf2_elixir has been updated to version 1.0.
To update to the new versions, remove :comeonin from the deps function in your mix.exs file, update the hashing library to the latest version, and then edit the hashing functions as shown below:
Comeonin.Argon2.add_hash -> Argon2.add_hash
Comeonin.Argon2.check_pass -> Argon2.check_pass
Comeonin.Argon2.hashpwsalt -> Argon2.hash_pwd_salt
Comeonin.Argon2.checkpw -> Argon2.verify_pass
Comeonin.Argon2.dummy_checkpw -> Argon2.no_user_verify
For more information see this guide.
If you have any questions / comments, please let me know.
6 Likes
So which hashing algorithm is recommended for systems being designed today?
I’ve read some opinions stating that Argon2 might be better. For instance:
…but I figured I’d ask the Elixir community as well.
In what scenarios would Argon2 should actually be preferred over Bcrypt? The link posted above says “…and offline cracking is in the threat model.” In this context, does “offline cracking” mean the attacker somehow grabs a copy of your database and can attempt to crack the password hashes in it?
Yeah, Argon2id is the best option atm. At least, SCrypt is better than BCrypt. In the vast majority of cases it doesn’t really matter since there are much easier ways to get passwords than cracking them.
I wrote about it in the production checklist for Pow with a link to this medium post that details the different popular password hashing options.
Argon2 won the Password Hashing Competition in 2015.
2 Likes
