Password Hashing PBKDF2 vs Argon2

(mato) #1

I was reading about password hashing and came across this
What is the most reliable, safe and efficient password hashing algorithm as of 2018?

if Argon2 is the best and most secure password hashing method, then why is Discourse using PBKDF2?
or am i missing something.

(Jeff Atwood) #2

It takes a while for new hashing methods to be proven safe and reliable.

We do have a longer term todo to add a hash version so we can increase difficulty here in the future.

See: Hacker, Hack Thyself

(mato) #3

That’s a nice explenation thank you,
I was just curious because in a other post i found that PBKDF2 came in the last position
How to Safely Store Your Users’ Passwords

  • Argon2 , the Password Hashing Competition winner.
  • bcrypt
  • scrypt
  • The other Password Hashing Competition finalists ( Catena , Lyra2 , Makwa , and yescrypt )
  • PBKDF2 (nearly everyone except FIPS agrees PBKDF2 is the worst of the acceptable options but is still acceptable)

but thats probably outdated now.

(Jeff Atwood) #4

It depends how many iterations you use. “Worst” is relative, you must know the number of iterations in use. Otherwise you are literally comparing :apple:s and :tangerine:s