π Summary
The current crypto module in Astra provides cryptographic hash functions such as SHA2 and SHA3 (256/512). However, these functions are not suitable for password storage because they are fast and do not include built-in protections against brute-force attacks.
This proposal requests the addition of a dedicated password hashing API using modern, secure algorithms such as bcrypt, scrypt, or Argon2.
π¨ Current Problem
Using:
crypto.hash("sha2_512", password)or even with manual salting:
crypto.hash("sha2_512", password .. salt)is insecure for password storage because:
- The hashing process is too fast (enabling GPU/ASIC brute-force attacks)
- No built-in work factor / cost parameter
- Salt must be implemented manually (error-prone)
- Does not follow modern security best practices
π― Proposed Solution
Introduce a dedicated API for password hashing:
crypto.password_hash("MY_PASSWORD")And a verification function:
crypto.password_verify("MY_PASSWORD", stored_hash)
π Suggested Algorithms
The implementation should support or evaluate:
- Argon2 (preferred): modern standard, winner of the Password Hashing Competition
- bcrypt: widely adopted and battle-tested
- scrypt: strong alternative with memory-hard properties
βοΈ Optional Enhancements
Allow configurable parameters for advanced usage:
crypto.password_hash("password", {
algorithm = "argon2id",
memory = 65536,
iterations = 3,
parallelism = 1
})
π¦ Benefits
- Strong protection against brute-force attacks
- Alignment with OWASP and NIST recommendations
- Prevents insecure ad-hoc implementations by developers
- Centralizes secure authentication best practices
- Improves overall framework security posture
π References
- OWASP Password Storage Cheat Sheet
- NIST SP 800-63B Digital Identity Guidelines
- Argon2 Password Hashing Competition Winner
β οΈ Important Note
This functionality should be clearly separated from crypto.hash, since SHA2/SHA3 remain appropriate for non-password use cases such as data integrity, checksums, and general cryptographic hashing.
π Summary
The current
cryptomodule in Astra provides cryptographic hash functions such as SHA2 and SHA3 (256/512). However, these functions are not suitable for password storage because they are fast and do not include built-in protections against brute-force attacks.This proposal requests the addition of a dedicated password hashing API using modern, secure algorithms such as bcrypt, scrypt, or Argon2.
π¨ Current Problem
Using:
or even with manual salting:
is insecure for password storage because:
π― Proposed Solution
Introduce a dedicated API for password hashing:
And a verification function:
π Suggested Algorithms
The implementation should support or evaluate:
βοΈ Optional Enhancements
Allow configurable parameters for advanced usage:
π¦ Benefits
π References
This functionality should be clearly separated from
crypto.hash, since SHA2/SHA3 remain appropriate for non-password use cases such as data integrity, checksums, and general cryptographic hashing.