Skip to content

doc(0036): update password encryption mechanisms#109

Open
savonarola wants to merge 2 commits into
emqx:mainfrom
savonarola:20260528-sec-harden-password-hashing
Open

doc(0036): update password encryption mechanisms#109
savonarola wants to merge 2 commits into
emqx:mainfrom
savonarola:20260528-sec-harden-password-hashing

Conversation

@savonarola

Copy link
Copy Markdown
Contributor

No description provided.

* Argon2id with OWASP-compliant memory, iteration, and parallelism parameters;
* scrypt with OWASP-compliant CPU/memory cost, block size, and parallelization
parameters;
* bcrypt with `salt_rounds >= 10`;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should perhaps avoid promoting bcrypt,
document PBKDF2 only.

@thalesmg

thalesmg commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

on a related note, seems that "soon" we might get argon2 from otp's crypto: erlang/otp#11301

not in time for this, obviously 😸

@savonarola savonarola force-pushed the 20260528-sec-harden-password-hashing branch from 0fb29ca to 698ea38 Compare July 3, 2026 10:18
* non-PBKDF2 password hashing algorithms;
* PBKDF2 with weak or non-recommended MAC functions: `md4`, `md5`,
`ripemd160`, `sha`, `sha224`;
* PBKDF2 with an iteration count below the OWASP minimum for the selected MAC

@zmstone zmstone Jul 3, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

above might be too expensive (without rate limiting)

* PBKDF2-HMAC-SHA512 with at least 220,000 iterations.

The default password hashing configuration should also be secure under the
`hardened` profile. The hardened default is PBKDF2-HMAC-SHA256 with 600,000

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

continue to default sha256, change default after we introduce a default rate limiter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants