AuthMeReloaded/docs/hash_algorithms.md
Gabriele C bf38782790 Implement ARGON2 hash (#1165)
* Implement ARGON2 hash

#1150

* Fix argon hash verify

* Add argon2 test

* #1150 Account for Argon2 managing salts internally
2017-04-14 18:03:27 +02:00

4.0 KiB

Hash Algorithms

AuthMe supports the following hash algorithms for storing your passwords safely.

Algorithm Recommendation Hash length ASCII Salt type Length Separate?
ARGON2 Recommended 96 None
BCRYPT Recommended 60 Text
BCRYPT2Y Recommended 60 Text 22
CRAZYCRYPT1 Do not use 128 Username
DOUBLEMD5 Deprecated 32 None
IPB3 Acceptable 32 Text 5 Y
IPB4 Does not work 60 Text 22 Y
JOOMLA Acceptable 65 Text 32
MD5 Deprecated 32 None
MD5VB Acceptable 56 Text 16
MYBB Acceptable 32 Text 8 Y
PBKDF2 Recommended 165 Text 16
PBKDF2DJANGO Acceptable 77 Y Text 12
PHPBB Acceptable 34 Text 16
PHPFUSION Do not use 64 Y Y
ROYALAUTH Do not use 128 None
SALTED2MD5 Acceptable 32 Text Y
SALTEDSHA512 Recommended 128 Y
SHA1 Deprecated 40 None
SHA256 Recommended 86 Text 16
SHA512 Deprecated 128 None
SMF Do not use 40 Username
TWO_FACTOR Does not work 16 None
WBB3 Acceptable 40 Text 40 Y
WBB4 Recommended 60 Text 8
WHIRLPOOL Deprecated 128 None
WORDPRESS Acceptable 34 Text 9
XAUTH Recommended 140 Text 12
XFBCRYPT 60
CUSTOM

Columns

Algorithm

The algorithm is the hashing algorithm used to store passwords with. Default is SHA256 and is recommended. You can change the hashing algorithm in the config.yml: under security, locate passwordHash.

Recommendation

The recommendation lists our usage recommendation in terms of how secure it is (not how well the algorithm works!).

  • Recommended: The hash algorithm appears to be cryptographically secure and is one we recommend.
  • Acceptable: There are safer algorithms that can be chosen but using the algorithm is generally OK.
  • Do not use: Hash algorithm isn't sufficiently secure. Use only if required to hook into another system.
  • Does not work: The algorithm does not work properly; do not use.

Hash Length

The length of the hashes the algorithm produces. Note that the hash length is not (primarily) indicative of whether an algorithm is secure or not.

ASCII

If denoted with a y, means that the algorithm is restricted to ASCII characters only, i.e. it will simply ignore "special characters" such as ÿ or Â. Note that we do not recommend the use of "special characters" in passwords.

Salt Columns

Before hashing, a salt may be appended to the password to make the hash more secure. The following columns describe the salt the algorithm uses.

Salt Type

We do not recommend the usage of any algorithm that doesn't use a randomly generated text as salt. This "salt type" column indicates what type of salt the algorithm uses:

  • Text: randomly generated text (see also the following column, "Length")
  • Username: the salt is constructed from the username (bad)
  • None: the algorithm uses no salt (bad)
Length

If applicable (salt type is "Text"), indicates the length of the generated salt. The longer the better. If this column is empty when the salt type is "Text", it typically means the salt length can be defined in config.yml.

Separate

If denoted with a y, it means that the salt is stored in a separate column in the database. This is neither good or bad.


This page was automatically generated on the AuthMe/AuthMeReloaded repository on Fri Apr 14 01:40:05 CEST 2017