| < draft-ietf-kitten-password-storage-06.txt | draft-ietf-kitten-password-storage-07.txt > | |||
|---|---|---|---|---|
| Common Authentication Technology Next Generation S. Whited | Common Authentication Technology Next Generation S. Whited | |||
| Internet-Draft 6 April 2021 | Internet-Draft 27 September 2021 | |||
| Intended status: Best Current Practice | Intended status: Best Current Practice | |||
| Expires: 8 October 2021 | Expires: 31 March 2022 | |||
| Best practices for password hashing and storage | Best practices for password hashing and storage | |||
| draft-ietf-kitten-password-storage-06 | draft-ietf-kitten-password-storage-07 | |||
| Abstract | Abstract | |||
| This document outlines best practices for handling user passwords and | This document outlines best practices for handling user passwords and | |||
| other authenticator secrets in client-server systems making use of | other authenticator secrets in client-server systems making use of | |||
| SASL. | SASL. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 32 ¶ | skipping to change at page 1, line 32 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 8 October 2021. | This Internet-Draft will expire on 31 March 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 7, line 33 ¶ | skipping to change at page 7, line 33 ¶ | |||
| +----------------------------------+--------------+ | +----------------------------------+--------------+ | |||
| | Minimum output length | 32 | | | Minimum output length | 32 | | |||
| +----------------------------------+--------------+ | +----------------------------------+--------------+ | |||
| Table 2: Argon Parameters | Table 2: Argon Parameters | |||
| 5.2. Bcrypt | 5.2. Bcrypt | |||
| bcrypt [BCRYPT] is a Blowfish-based KDF. | bcrypt [BCRYPT] is a Blowfish-based KDF. | |||
| +=========================+=======================+ | +==========================+=======================+ | |||
| | Parameter | Value | | | Parameter | Value | | |||
| +=========================+=======================+ | +==========================+=======================+ | |||
| | Recommended Cost | 12 | | | Minimum Recommended Cost | 12 | | |||
| +-------------------------+-----------------------+ | +--------------------------+-----------------------+ | |||
| | Maximum Password Length | 50-72 bytes depending | | | Maximum Password Length | 50-72 bytes depending | | |||
| | | on the implementation | | | | on the implementation | | |||
| +-------------------------+-----------------------+ | +--------------------------+-----------------------+ | |||
| Table 3: Bcrypt Parameters | Table 3: Bcrypt Parameters | |||
| 5.3. PBKDF2 | 5.3. PBKDF2 | |||
| PBKDF2 [RFC8018] is used by the SCRAM [RFC5802] family of SASL | PBKDF2 [RFC8018] is used by the SCRAM [RFC5802] family of SASL | |||
| mechanisms. | mechanisms. | |||
| +=============================+================================+ | +=============================+================================+ | |||
| | Parameter | Value | | | Parameter | Value | | |||
| +=============================+================================+ | +=============================+================================+ | |||
| | Minimum iteration count (c) | 310,000 | | | Minimum iteration count (c) | 310,000 | | |||
| skipping to change at page 11, line 42 ¶ | skipping to change at page 11, line 42 ¶ | |||
| [BCRYPT] Provos, N. and D. Mazières, "A Future-Adaptable Password | [BCRYPT] Provos, N. and D. Mazières, "A Future-Adaptable Password | |||
| Scheme", USENIX 1999 | Scheme", USENIX 1999 | |||
| https://www.usenix.org/legacy/event/usenix99/provos/ | https://www.usenix.org/legacy/event/usenix99/provos/ | |||
| provos.pdf, June 1999. | provos.pdf, June 1999. | |||
| [I-D.irtf-cfrg-argon2] | [I-D.irtf-cfrg-argon2] | |||
| Biryukov, A., Dinu, D., Khovratovich, D., and S. | Biryukov, A., Dinu, D., Khovratovich, D., and S. | |||
| Josefsson, "The memory-hard Argon2 password hash and | Josefsson, "The memory-hard Argon2 password hash and | |||
| proof-of-work function", Work in Progress, Internet-Draft, | proof-of-work function", Work in Progress, Internet-Draft, | |||
| draft-irtf-cfrg-argon2-12, 8 September 2020, | draft-irtf-cfrg-argon2-12, 8 September 2020, | |||
| <https://tools.ietf.org/html/draft-irtf-cfrg-argon2-12>. | <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg- | |||
| argon2-12>. | ||||
| [NISTSP132] | [NISTSP132] | |||
| Turan, M., Barker, E., Burr, W., and L. Chen, | Turan, M., Barker, E., Burr, W., and L. Chen, | |||
| "Recommendation for Password-Based Key Derivation Part 1: | "Recommendation for Password-Based Key Derivation Part 1: | |||
| Storage Applications", NIST Special Publication SP | Storage Applications", NIST Special Publication SP | |||
| 800-132, DOI 10.6028/NIST.SP.800-132, December 2010, | 800-132, DOI 10.6028/NIST.SP.800-132, December 2010, | |||
| <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ | <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ | |||
| nistspecialpublication800-132.pdf>. | nistspecialpublication800-132.pdf>. | |||
| [NISTSP63-3] | [NISTSP63-3] | |||
| End of changes. 7 change blocks. | ||||
| 14 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||