From 73a39fecf0058ab1f42eb019421eea186416dc3c Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Mon, 11 Oct 2021 20:09:34 +0200 Subject: [PATCH] opaque: Lower the compute cost This reduces the time to validate a password, at a minor cost of security (makes bruteforcing the DB easier, but still really hard). Note: this invalidates all current passwords. It is recommended to delete the admin user directly in sqlite: $ sqlite3 users.db > DELETE from users WHERE user_id = "admin"; It will be recreated with the reset password when restarting the server. The admin can then reset other users' passwords. --- auth/src/opaque.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/src/opaque.rs b/auth/src/opaque.rs index 2371c0a..7648d58 100644 --- a/auth/src/opaque.rs +++ b/auth/src/opaque.rs @@ -27,7 +27,7 @@ impl ArgonHasher { mem_cost: 50 * 1024, // 50 MB, in KB secret: &[], thread_mode: argon2::ThreadMode::Sequential, - time_cost: 5, + time_cost: 1, variant: argon2::Variant::Argon2id, version: argon2::Version::Version13, };