Evaluating Argon2 Adoption and Effectiveness in Real-World Software
7 months ago
- #Cryptography
- #Password Security
- #Argon2
- Argon2, the Password Hashing Competition winner, is analyzed for its real-world adoption and effectiveness.
- The study combines attack simulations with a large-scale empirical analysis of Argon2 usage in GitHub repositories.
- OWASP's recommended 46 MiB configuration reduces compromise rates by 42.5% compared to SHA-256 at \$1/account attack budgets for strong passwords.
- Memory-hardness shows diminishing returns, with higher memory allocations providing only marginal additional protection.
- Weak passwords remain highly vulnerable, with 96.9-99.8% compromise rates regardless of the hashing algorithm.
- 46.6% of Argon2 deployments use weaker-than-OWASP parameters, and sensitive applications do not show stronger configurations.
- Secure algorithms alone are insufficient; effective parameter guidance and developer education are crucial for security.