[LRUG] [ANN] Argon2id, native Ruby bindings to the OWASP recommended password-hashing function

Paul mudge at mudge.name
Fri Nov 1 00:16:20 PDT 2024 

Good morning all,

Following James’ announcement of Jelly, I thought I’d share a new gem I released yesterday for your feedback: 
https://github.com/mudge/argon2id

Argon2::Password.create("opensesame").to_s
#=> "$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU"

Argon2::Password.create("opensesame") == "opensesame"
#=> true

Argon2::Password.new("$argon2id$v=19$m=19456,t=2,p=1$ZS2nBFWBpnt28HjtzNOW4w$SQ+p+dIcWbpzWpZQ/ZZFj8IQkyhYZf127U4QdkRmKFU") == "opensesame"
#=> true

Argon2id provides Ruby bindings to the reference C implementation of Argon2, the password-hashing function that won the 2015 Password Hashing Competition and is currently recommended by the OWASP Password Storage Cheat Sheet (https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id). It has no runtime dependencies and native, precompiled versions of the gem are available for Linux, macOS and Windows.

This came about because I read Pilcrow’s The Copenhagen Book which recommends Argon2id for password storage (https://thecopenhagenbook.com/password-authentication#argon2id) but I was used to bcrypt-ruby (most commonly via Rails’ has_secure_password) and Coda Hale’s mantra of “Use bcrypt” from 
https://codahale.com/how-to-safely-store-a-password/. There are existing gems that use FFI bindings to Argon2 but I was keen to see if I could put my experience shipping native gems from my work on re2 (https://github.com/mudge/re2) to good use and ship a small gem with no dependencies.

Where possible, I try to keep the API familiar to users of BCrypt::Password with Argon2id::Password.create for hashing passwords using recommended defaults, Argon2id::Password.new for wrapping an existing hash and Argon2id::Password#== (aliased to Argon2id::Password#is_password?) for verifying hashes against plain text passwords. You can see more at https://github.com/mudge/argon2id?tab=readme-ov-file#usage

Please give it a whirl, let me know what you think, and feel free to report any issues at https://github.com/mudge/argon2id/issues

Kind regards,

-- Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20241101/32d42c72/attachment.htm>

More information about the Chat mailing list