Update 6.8 and add argon2

[maestroevn]

See OWASP cheat sheet - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

[josh-hemphill]

The issue is that Argon 2 is not yet available in either Node core, or any large 3rd party modules. I think I brought it up when doing the rewrite. That's why I added the reference to the OWASP cheatsheets, since the status of Argon2 may change and the page not get updated to reflect the state of Argon2

[goldbergyoni]

@tigranmaestro Welcome!

@josh-hemphill Which is the most reputable lib that implements Argon2?

[stale]

Hello there! 👋
This issue has gone silent. Eerily silent. ⏳
We currently close issues after 100 days of inactivity. It has been 90 days since the last update here.
If needed, you can keep it open by replying here.
Thanks for being a part of the Node.js Best Practices community! 💚

[josh-hemphill]

It looks like the Argon2 library has a lot more usage now, but it's a native binding, not pure JavaScript, so using it downloads additional binaries. Nodejs core is open to adding it, but Nodejs uses OpenSSL for all it's crypto operations, and OpenSSL won't add it until after OpenSSL 3.0 becomes stable. Another option would be to use the libsodium library which is large pure javascript crypto library which happens to include Argon2, but if that's all you need it for you'd want to make sure you're treeshaking.

[goldbergyoni]

@josh-hemphill Great follow-up as always, sounds like waiting a bit more is the right act here?

[josh-hemphill]

@josh-hemphill Great follow-up as always, sounds like waiting a bit more is the right act here?

I personally think so. If we decide to mention Argon2 we're also going to have to explain how to choose between the native binaries and pure javascrypt implementations, and we'll have to update it again in a number of months. Currently, BCrypt and SCrypt cover all the bases for the functionality you'd need. I would also be worried about suggesting that devs use a library that may become irrelevant shortly, and as happens may stop being worked on shortly after.

[goldbergyoni]

@josh-hemphill Resonates with me

[josh-hemphill]

Minor update. OpenSSL 3.0 is in active release, and NodeJS v17 now uses OpenSSL 3.0. RFCs for Argon2 are released, so it's up to algorithm implementers to PR it into OpenSSL, but won't be added until at least OpenSSL 3.1

[goldbergyoni]

@josh-hemphill Can you close this PR based on your judgement?

[josh-hemphill]

Yeah. Since Argon2 has been postponed until OpenSSL 3.1, it going to be a little while before we need to look at it again.

[josh-hemphill]

Good news, Argon2 has been released in OpenSSL 3.2, and there's an open PR in Node to add it, so we should have a version of Node coming up that will include Argon2; can probably update the relevant info after that.

[ranisalt]

It looks like the Argon2 library has a lot more usage now, but it's a native binding, not pure JavaScript, so using it downloads additional binaries

There seems to be some misunderstanding here as the library recommended for bcrypt also contains native bindings, just like node-argon2 (assuming it is the Argon2 library you mention). Both libraries have roughly the same install process, which downloads prebuilt binaries if available.

Is there something else that you see blocking?