How can we make argon2 safe? #6878

New Issue

Closed

opened 2025-11-02 07:09:45 -06:00 by GiteaMirror · 10 comments

GiteaMirror commented 2025-11-02 07:09:45 -06:00

Owner

Copy Link

Originally created by @zeripath on GitHub (Feb 16, 2021).

Argon2 is clearly causing multiple problems due to its memory requirements, especially on lower spec'd systems.

I cannot recommend argon2 in good conscience at present as its memory use can be unbounded especially under LFS.

Ref #14674

Originally created by @zeripath on GitHub (Feb 16, 2021). Argon2 is clearly causing multiple problems due to its memory requirements, especially on lower spec'd systems. I cannot recommend argon2 in good conscience at present as its memory use can be unbounded especially under LFS. Ref #14674

GiteaMirror added the type/proposal label 2025-11-02 07:09:45 -06:00

GiteaMirror closed this issue 2025-11-02 07:09:46 -06:00

GiteaMirror commented 2025-11-02 07:09:46 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Feb 16, 2021):

Ok there are multiple options here, any and potentially all of which should be implemented:

• Act like GitHub and ban basic auth with passwords - require tokens instead.
• Expose and make configurable the parameters used for hashing.
• Add a max concurrent lock around password hashing.

I understand a user on discord is looking in to the second option right now - but I think we seriously need to consider both of the other options in addition.

@zeripath commented on GitHub (Feb 16, 2021): Ok there are multiple options here, any and potentially all of which should be implemented: * Act like GitHub and ban basic auth with passwords - require tokens instead. * Expose and make configurable the parameters used for hashing. * Add a max concurrent lock around password hashing. I understand a user on discord is looking in to the second option right now - but I think we seriously need to consider both of the other options in addition.

GiteaMirror commented 2025-11-02 07:09:46 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Feb 17, 2021):

Argon2 memory usage could be configured by Gitea so that users could chose suitable variable according his system.

@lunny commented on GitHub (Feb 17, 2021): Argon2 memory usage could be configured by Gitea so that users could chose suitable variable according his system.

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Feb 17, 2021):

That is point 2: Expose and make configurable the parameters used for hashing.

@zeripath commented on GitHub (Feb 17, 2021): That is point 2: Expose and make configurable the parameters used for hashing.

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@vladionescu commented on GitHub (Mar 4, 2021):

Moving my comment over from https://github.com/go-gitea/gitea/issues/14294#issuecomment-790765537 (sorry! found that via the PR linked in latest release notes)

Mostly interested in what the symptoms are here that we're trying to solve by ditching Argon2.

What issues have we seen from this memory usage? I personally haven't encountered slowdowns, but my instance only has ~20 users so I am certainly not running a very busy Gitea.

Like a good KDF, Argon2 is designed to not be performant. If it was performant, it would be easy for attackers to brute force plaintext passwords should they ever get their hands on the hashes.

That said, it's also not meant to be a drag on the whole system. It has configurable parameters that influence memory usage, among other things. Have we considered tweaking those knobs or exposing them to admins, so they can be turned down for more resource constrained deployments?

@vladionescu commented on GitHub (Mar 4, 2021): Moving my comment over from https://github.com/go-gitea/gitea/issues/14294#issuecomment-790765537 (sorry! found that via the PR linked in latest release notes) Mostly interested in what the symptoms are here that we're trying to solve by ditching Argon2. > What issues have we seen from this memory usage? I personally haven't encountered slowdowns, but my instance only has ~20 users so I am certainly not running a very busy Gitea. > > Like a good KDF, Argon2 is designed to not be performant. If it was performant, it would be easy for attackers to brute force plaintext passwords should they ever get their hands on the hashes. > > That said, it's also not meant to be a drag on the whole system. It has configurable parameters that influence memory usage, among other things. Have we considered tweaking those knobs or exposing them to admins, so they can be turned down for more resource constrained deployments?

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@jolheiser commented on GitHub (Mar 4, 2021):

It's pertinent to point out that you can still use argon2, it just isn't the default anymore.

@jolheiser commented on GitHub (Mar 4, 2021): It's pertinent to point out that you [_can_ still use argon2](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security), it just isn't the default anymore.

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 4, 2021):

OK I absolutely do not want this issue to turn into other issues that go round in circles without solutions.

So further comments that do not address the memory issues with argon2 and the solutions proposed above or propose other solutions WILL be deleted.

Mostly interested in what the symptoms are here that we're trying to solve by ditching Argon2.

It is not prudent to explain further than I have stated above: its memory use can be unbounded especially under LFS.

@vladionescu If you want further explanation come to discord and chat to me directly.

@zeripath commented on GitHub (Mar 4, 2021): OK I absolutely do not want this issue to turn into other issues that go round in circles without solutions. So further comments that do not address the memory issues with argon2 and the solutions proposed above or propose other solutions *WILL* be deleted. > Mostly interested in what the symptoms are here that we're trying to solve by ditching Argon2. It is not prudent to explain further than I have stated above: its memory use can be unbounded especially under LFS. @vladionescu If you want further explanation come to discord and chat to me directly.

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 8, 2021):

Blake3 is not a password hashing algorithm. Do not use Blake3 for password hashing - it has none of the characteristics you need in password hashing.

@zeripath commented on GitHub (Mar 8, 2021): Blake3 is not a password hashing algorithm. Do not use Blake3 for password hashing - it has none of the characteristics you need in password hashing.

GiteaMirror commented 2025-11-02 07:09:47 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Mar 8, 2021):

Fundamentally the issue is that hashing passwords is supposed to be expensive and has to be expensive in order to provide protection against cracking. Changing algorithm and adjusting its parameters etc. is not going to form a complete solution to this problem - it may well form part of the solution in order to tune parameters for running systems and allow more concurrent password checks - but it is not the solution.

If we allow unlimited password validation we are going to run out resources simply because password validation is expensive.

Our only options are to limit the amount of concurrent password validation actions on the server and to move users of the API and HTTP from using passwords to using tokens which are far less expensive to validate.

@zeripath commented on GitHub (Mar 8, 2021): Fundamentally the issue is that hashing passwords is supposed to be expensive and has to be expensive in order to provide protection against cracking. Changing algorithm and adjusting its parameters etc. is not going to form a complete solution to this problem - it may well form part of the solution in order to tune parameters for running systems and allow more concurrent password checks - but it is not the solution. If we allow unlimited password validation we are going to run out resources simply because password validation is expensive. Our only options are to limit the amount of concurrent password validation actions on the server and to move users of the API and HTTP from using passwords to using tokens which are far less expensive to validate.

GiteaMirror commented 2025-11-02 07:09:48 -06:00

Author

Owner

Copy Link

@uwejan commented on GitHub (Jun 20, 2023):

Hey guys, I am oticing an increase of memory consumtion of 4 MB on a single user request to verify a password?
That is too much is not it. is thre a way around this?

@uwejan commented on GitHub (Jun 20, 2023): Hey guys, I am oticing an increase of memory consumtion of 4 MB on a single user request to verify a password? That is too much is not it. is thre a way around this?

GiteaMirror commented 2025-11-02 07:09:48 -06:00

Author

Owner

Copy Link

@wxiaoguang commented on GitHub (Jun 23, 2025):

	algoBcrypt = "bcrypt"
	algoScrypt = "scrypt"
	algoArgon2 = "argon2"
	algoPbkdf2 = "pbkdf2"

There are different algorithms and they are configurable.

@wxiaoguang commented on GitHub (Jun 23, 2025): ``` algoBcrypt = "bcrypt" algoScrypt = "scrypt" algoArgon2 = "argon2" algoPbkdf2 = "pbkdf2" ``` There are different algorithms and they are configurable.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label type/proposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#6878