Argon2 Password Storage Scheme
The Argon2 Password Storage Scheme provides a mechanism for encoding user passwords using the Argon2 message digest algorithm.
This scheme contains an implementation for the user password syntax, with a storage scheme name of "ARGON2".
Parent
The Argon2 Password Storage Scheme object inherits from Password Storage Scheme.
Argon2 Password Storage Scheme properties
You can use configuration expressions to set property values at startup time. For details, see Property value substitution.
| Basic Properties | Advanced Properties |
|---|---|
argon2-iterations |
argon2-iterations
Synopsis |
The number of iterations to perform. |
Description |
By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the number of iterations therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput. |
Default value |
2 |
Allowed values |
An integer. Lower limit: 1. Upper limit: 30. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
argon2-length
Synopsis |
The length of the produced hash. |
Description |
By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the length of the produced hash therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput. |
Default value |
32 |
Allowed values |
An integer. Lower limit: 4. Upper limit: 32768. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
argon2-memory
Synopsis |
The amount of memory to use for a single hash, expressed in kibibytes. |
Description |
By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the amount of memory to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of longer response times and lower throughput. |
Default value |
15360 |
Allowed values |
An integer. Lower limit: 8. Upper limit: 4194304. |
Multi-valued |
No |
Required |
No |
Admin action required |
Restart the server for changes to take effect. |
Advanced |
No |
Read-only |
No |
argon2-parallelism
Synopsis |
The number of threads to use in parallel to compute a hash. |
Description |
The number of threads should not exceed twice the number of physical CPU cores that are dedicated to password hashing. By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and write the new hash to the user’s entry on disk. Changing the amount of parallelism to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput. |
Default value |
1 |
Allowed values |
An integer. Lower limit: 1. Upper limit: 32768. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
argon2-salt-length
Synopsis |
The length of the salt used during the hash. |
Description |
By default, changes to this setting impact only newly created and updated passwords. |
Default value |
16 |
Allowed values |
An integer. Lower limit: 8. Upper limit: 4096. |
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
argon2-variant
Synopsis |
The variant of Argon2 algorithm to use (between I, D and ID). |
Description |
Argon2D maximizes resistance to GPU cracking attacks. Argon2I is optimized to resist side-channel attacks. Argon2ID is a hybrid version that combines both approaches and has stronger resistance to attacks, but it’s more expensive. By default, changes to this setting impact only newly created and updated passwords. However, if the rehash-policy is set to always or only-increase, it causes the server to recalculate each user’s password hash on their next authentication, and writes the new hash to the user’s entry on disk. Changing the variant of Argon2 algorithm to use therefore leads to a short-term spike in CPU and disk use as the server updates each user’s password when they next authenticate. Longer term, increasing this setting results in more secure passwords at the expense of much higher CPU consumption and lower throughput. |
Default value |
ID |
Allowed values |
|
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
enabled
Synopsis |
Indicates whether the Password Storage Scheme is enabled for use. |
Default value |
None |
Allowed values |
true false |
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
rehash-policy
Synopsis |
Indicates whether the server should rehash passwords after the cost has been changed. |
Description |
Passwords will be rehashed when a user successfully authenticates. Note that rehashing will increase the write load on the server. |
Default value |
never |
Allowed values |
|
Multi-valued |
No |
Required |
No |
Admin action required |
None |
Advanced |
No |
Read-only |
No |
Advanced properties
Use the --advanced
option to access advanced properties.
argon2-memory-pool-size
Synopsis |
The amount of memory dedicated to Argon2 password hashing, expressed in kibibytes. |
Description |
This amount of memory places an upper limit on the number of argon2 password hashes which can be computed concurrently. Every bind request using argon2 password hashing will acquire memory from this pool, and release it once computation has completed. When the pool is empty, incoming bind requests using argon2 will be paused, waiting for concurrent argon2 computation to finish and return memory to the pool. |
Default value |
122880 |
Allowed values |
An integer. Lower limit: 0. Upper limit: 4194304. |
Multi-valued |
No |
Required |
No |
Admin action required |
Restart the server for changes to take effect. |
Advanced |
Yes |
Read-only |
No |
java-class
Synopsis |
Specifies the fully-qualified name of the Java class that provides the Argon2 Password Storage Scheme implementation. |
Default value |
org.opends.server.extensions.Argon2PasswordStorageScheme |
Allowed values |
A Java class that extends or implements:
|
Multi-valued |
No |
Required |
Yes |
Admin action required |
None |
Advanced |
Yes |
Read-only |
No |