Update Argon parameters suggestions

[nth-block]

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #1536.

Thank you again for your contribution 😃

[jmanico]

2GB for argon2id for an authentication system is not reasonable. It kills the ability to scale. Please let me research this more, many other standards cite our configurations and I'm hesitant to change them, but I take your work seriously and will be back. :)

[mackowski]

@jmanico any updates on this? :-)

[jmanico]

I don't want to change it. This makes me very nervous I need to get @Sc00bz involved

[jmanico]

Hey @Sc00bz can you kindly take a look at this?

[Sc00bz]

TL;DR Strong no. More so than when I was trying to lower the bcrypt cost from 12 to 9.

The current settings for all of the algorithms are minimum values and you are encouraged to go higher, if you can. This is based on benchmarks or theoretical speeds such that an attacker gets <10 kH/s/GPU.

These settings are from the RFC which I brought up issues with before it was published. My email was ignored then 5 months later the Argon2 RFC was publish. This is so far out from reality I would be embarrassed, if my name was on that RFC. I do know multiple people in the acknowledgments but I assume they weren't involved with settings.

I should mention that the current settings are theoretical minimums. Which are higher than the true minimums, but there aren't good benchmarks for Argon2 and I don't have an RTX 4090 or an RX 7900 XTX. Even if I did I'd still need to write the code for it since there aren't any public optimal GPU attacker code. There's async memory functions, optimizing bank conflicts in shared memory (L1 cache), etc.

---

Maybe we should add a note that states that the Argon2 RFC is a bad source for settings. Well specifically m=2 GiB and p=4 are bad settings for auth. m=64 MiB, t≥3, p=1 is great for auth but is on the high end (PHP's default is m=64 MiB, t=4, p=1).

[jmanico]

Based on @Sc00bz I am politely declining this PR.