Merge pull request #526 from kenjis/fix-Config-Auth-password-hashing

kenjis · web-flow · commit 9f7171f4bef2 · 2022-11-15T11:46:34.000+09:00
config: update ARGON2I/ARGON2ID Algorithm options
diff --git a/src/Config/Auth.php b/src/Config/Auth.php
@@ -278,41 +278,34 @@ class Auth extends BaseConfig
 
     /**
      * --------------------------------------------------------------------
-     * Encryption Algorithm to use
+     * Hashing Algorithm to use
      * --------------------------------------------------------------------
      * Valid values are
      * - PASSWORD_DEFAULT (default)
      * - PASSWORD_BCRYPT
      * - PASSWORD_ARGON2I  - As of PHP 7.2 only if compiled with support for it
      * - PASSWORD_ARGON2ID - As of PHP 7.3 only if compiled with support for it
-     *
-     * If you choose to use any ARGON algorithm, then you might want to
-     * uncomment the "ARGON2i/D Algorithm" options to suit your needs
      */
     public string $hashAlgorithm = PASSWORD_DEFAULT;
 
     /**
      * --------------------------------------------------------------------
-     * ARGON2i/D Algorithm options
+     * ARGON2I/ARGON2ID Algorithm options
      * --------------------------------------------------------------------
-     * The ARGON2I method of encryption allows you to define the "memory_cost",
+     * The ARGON2I method of hashing allows you to define the "memory_cost",
      * the "time_cost" and the number of "threads", whenever a password hash is
      * created.
-     * This defaults to a value of 10 which is an acceptable number.
-     * However, depending on the security needs of your application
-     * and the power of your hardware, you might want to increase the
-     * cost. This makes the hashing process takes longer.
      */
-    public int $hashMemoryCost = 2048;  // PASSWORD_ARGON2_DEFAULT_MEMORY_COST;
+    public int $hashMemoryCost = 65536; // PASSWORD_ARGON2_DEFAULT_MEMORY_COST;
 
-    public int $hashTimeCost = 4;       // PASSWORD_ARGON2_DEFAULT_TIME_COST;
-    public int $hashThreads  = 4;        // PASSWORD_ARGON2_DEFAULT_THREADS;
+    public int $hashTimeCost = 4;   // PASSWORD_ARGON2_DEFAULT_TIME_COST;
+    public int $hashThreads  = 1;   // PASSWORD_ARGON2_DEFAULT_THREADS;
 
     /**
      * --------------------------------------------------------------------
-     * Password Hashing Cost
+     * BCRYPT Algorithm options
      * --------------------------------------------------------------------
-     * The BCRYPT method of encryption allows you to define the "cost"
+     * The BCRYPT method of hashing allows you to define the "cost"
      * or number of iterations made, whenever a password hash is created.
      * This defaults to a value of 10 which is an acceptable number.
      * However, depending on the security needs of your application
