Directory Services 7.2.5

Argon2 Password Storage Scheme

The Argon2 Password Storage Scheme provides a mechanism for encoding user passwords using the Argon2 message digest algorithm.

This scheme contains an implementation for the user password syntax, with a storage scheme name of "ARGON2".

Parent

The Argon2 Password Storage Scheme object inherits from Password Storage Scheme.

Argon2 Password Storage Scheme properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

argon2-iterations
argon2-length
argon2-memory
argon2-parallelism
argon2-salt-length
argon2-variant
enabled
rehash-policy

argon2-migration-memory
java-class

Basic properties

Use the --advanced option to access advanced properties.

argon2-iterations

Synopsis

The number of iterations to perform.

Description

By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the number of iterations therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput.

Default value

2

Allowed values

An integer.

Lower limit: 1.

Upper limit: 30.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

argon2-length

Synopsis

The length of the produced hash.

Description

By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the length of the produced hash therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput.

Default value

32

Allowed values

An integer.

Lower limit: 4.

Upper limit: 32768.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

argon2-memory

Synopsis

The amount of memory to use for a single hash, expressed in kibibytes.

Description

By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the amount of memory to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of longer response times and lower throughput.

Default value

15360

Allowed values

An integer.

Lower limit: 8.

Upper limit: 4194304.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

argon2-parallelism

Synopsis

The number of threads to use in parallel to compute a hash.

Description

The number of threads should not exceed twice the number of physical CPU cores that are dedicated to password hashing. By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the amount of parallelism to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput.

Default value

1

Allowed values

An integer.

Lower limit: 1.

Upper limit: 32768.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

argon2-salt-length

Synopsis

The length of the salt used during the hash.

Description

By default, changes to this setting impact only newly created and updated passwords.

Default value

16

Allowed values

An integer.

Lower limit: 8.

Upper limit: 4096.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

argon2-variant

Synopsis

The variant of Argon2 algorithm to use (between I, D and ID).

Description

Argon2D maximizes resistance to GPU cracking attacks. Argon2I is optimized to resist side-channel attacks. Argon2ID is a hybrid version that combines both approaches and has stronger resistance to attacks, but it’s more expensive. By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and writes the new hash to the user’s entry on disk. Changing the variant of Argon2 algorithm to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput.

Default value

ID

Allowed values

  • D: Use Argon2d variant.

  • I: Argon2i.

  • ID: Argon2id.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

enabled

Synopsis

Indicates whether the Password Storage Scheme is enabled for use.

Default value

None

Allowed values

true

false

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

rehash-policy

Synopsis

Indicates whether the server should rehash passwords after the cost has been changed.

Description

Passwords will be rehashed when a user successfully authenticates. Note that rehashing will increase the write load on the server.

Default value

never

Allowed values

  • always: Rehash passwords when the cost is increased or decreased.

  • never: Never rehash passwords.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

argon2-migration-memory

Synopsis

The memory requirement expected during an Argon2 password migration.

Description

In case of migration of Argon2 password having bigger memory requirement than what’s configured in 'argon2-memory', it is recommended to specify the memory requirement so that the conversion can be done without memory starvation. The value of this configuration will be ignored if its value is inferior to what’s configured in 'argon2-memory'.

Default value

0

Allowed values

An integer.

Lower limit: 0.

Upper limit: 4194304.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

java-class

Synopsis

Specifies the fully-qualified name of the Java class that provides the Argon2 Password Storage Scheme implementation.

Default value

org.opends.server.extensions.Argon2PasswordStorageScheme

Allowed values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

Yes

Read-only

No