= Documentation for Argon2 Feature
The argon2 feature adds the ability to replace the bcrypt password hash
algorithm with argon2 (specifically, argon2id). Argon2 is an alternative to
bcrypt that offers the ability to be memory-hard. However, argon2 is weaker
than bcrypt for interactive login environments (e.g. password check times
under a second), so for the vast majority of web applications, using the
argon2 feature will weaken the application's security. You should not use
the argon2 feature unless the usage of argon2 is required or you are a
cryptographer and understand why argon2 would be better than bcrypt for your
application.
If you are using this feature with Rodauth's database authentication functions,
you need to make sure that the database authentication functions are configured
to support argon2 in addition to bcrypt. You can do this by passing the
+:argon2+ option when calling the method to define the database functions.
In this example, +DB+ should be your Sequel::Database object:
require 'rodauth/migrations'
# If the functions are already defined and you are not using PostgreSQL,
# you need to drop the existing functions.
Rodauth.drop_database_authentication_functions(DB)
# If you are using the disallow_password_reuse feature, also drop the
# database functions related to that if not using PostgreSQL:
Rodauth.drop_database_previous_password_check_functions(DB)
# Define new functions that support argon2:
Rodauth.create_database_authentication_functions(DB, argon2: true)
# If you are using the disallow_password_reuse feature, also define
# new functions that support argon2 for that:
Rodauth.create_database_previous_password_check_functions(DB, argon2: true)
The argon2 feature provides the ability to allow for a gradual migration
from transitioning from bcrypt to argon2 and vice-versa, if you are using the
update_password_hash feature.
Argon2 is more configurable than bcrypt in terms of password hash cost
speficiation. Instead of specifying the password_hash_cost value as
an integer, you must specify the password hash cost as a hash, such as
({t_cost: 2, m_cost: 16}).
If you are using the argon2 feature and if you have no bcrypt passwords in
your database, you should use require_bcrypt? false in your
Rodauth configuration to prevent loading the bcrypt library, which will save
memory.
== Auth Value Methods
argon2_old_secret :: The previous secret key used as input at hashing time, used for argon2_secret rotation. In order to rotate the argon2_secret, you must also use the update_password_hash feature, and rotation will not be finished until all users have logged in using the new secret.
argon2_secret :: A secret key used as input at hashing time, folded into the value of the hash.
use_argon2? :: Whether to use the argon2 password hash algorithm for new passwords (true by default). The only reason to set this to false is if you have existing passwords using argon2 that you want to support, but want to use bcrypt for new passwords.