/ 
Crypt-Passphrase-Argon2-0.009
River stage one • 3 direct dependents • 3 total dependents
/ Crypt::Passphrase::Argon2

NAME

Crypt::Passphrase::Argon2 - An Argon2 encoder for Crypt::Passphrase

VERSION

version 0.009

SYNOPSIS

my $passphrase = Crypt::Passphrase->new(
  encoder => {
    module  => 'Argon2',
    profile => 'interactive',
  },
);

DESCRIPTION

This class implements an Argon2 encoder for Crypt::Passphrase. It is the recommended password encoder as of 2023.

The default settings are taken from the moderate profile of libsodium's password hashing. If you want to use your own settings Crypt::Argon2 contains a argon2-calibrate tool to assist you in this.

METHODS

new(%args)

This creates a new Argon2 encoder, it takes named parameters that are all optional. Note that some defaults are likely to change at some point in the future, as computers get progressively more powerful and cryptoanalysis gets more advanced.

  • profile

    This sets the default values for the memory_cost and time_cost values. The default profile is moderate, but this may change in any future version.

    • interactive

      This sets the defaults for memory_cost and time_cost to 2 and '64M' respectively.

    • moderate

      This sets the defaults for memory_cost and time_cost to 3 and '256M' respectively.

    • sensitive

      This sets the defaults for memory_cost and time_cost to 4 and '1G' respectively.

  • memory_cost

    Maximum memory (in bytes) that may be used to compute the Argon2 hash.

  • time_cost

    Maximum amount of time it may take to compute the Argon2 hash.

  • parallelism

    The number of lanes (and potentially threads) used for the hash. This defaults to 1, but this number may change in any future version.

  • output_size

    The size of a hashed value. This defaults to 32 bytes.

  • salt_size

    The size of the salt. This defaults to 16 bytes, which should be more than enough for any use-case.

  • subtype

    This choses the argon2 subtype. It defaults to argon2id, and unless you know what you're doing you should probably keep it at that. This may change in any future version (but is unlikely to do so unless argon2id is cryptographically broken).

    • argon2id

      This is the default. It's a hybrid of argon2i and argon2d that largely combines the advantages of both.

    • argon2i

      This is optimized against timing attacks, but more vulnerable against other cryptographic attacks. It must not be used with a time_cost lower than 3.

    • argon2d

      This is optimized for resistance to GPU cracking attacks but not against timing based side-channel attacks.

Note: there is no wrong or right configuration, it all depends on your own particular circumstances. I recommend using the algorithm described in Crypt::Argon2 to pick the right settings for you.

hash_password($password)

This hashes the passwords with argon2 according to the specified settings and a random salt (and will thus return a different result each time).

needs_rehash($hash)

This returns true if the hash uses a different cipher or subtype, or if any of the parameters is lower that desired by the encoder.

crypt_types()

This class supports the following crypt types: argon2id, argon2i and argon2d.

verify_password($password, $hash)

This will check if a password matches an argon2 hash.

AUTHOR

Leon Timmermans <leont@cpan.org>

COPYRIGHT AND LICENSE

This software is copyright (c) 2021 by Leon Timmermans.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.