2

I want to use Argon2 as the hashing algorithm for the passwords in my system and I'm trying to find the right parameters to set for it. I'm using PHP.

While testing a few variations, I tried to see how's the memory impacted by using Argon2.

The documentation mentions this :

memory_cost (integer) - Maximum memory (in kibibytes) that may be used to compute the Argon2 hash. Defaults to PASSWORD_ARGON2_DEFAULT_MEMORY_COST.

However, using PHP's function memory_get_peak_usage the amount of memory consumed by my script never seems impacted. Here is an example :

$hash = password_hash('password1', PASSWORD_ARGON2I, ['memory_cost' => (1024*100), 'time_cost' => 20, 'threads' => 2]); // Should require 100MiB

$memory_peak = memory_get_peak_usage(true);

echo $memory_peak / (1024*1024); // To have the result in MiB

On my system, this takes ~0.5 second to execute, BUT memory usage is always 2MiB.

Can someone explain why PHP memory usage is not affected by using memory_cost parameter of Argon2 ?

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
MaxiWheat
  • 6,133
  • 6
  • 47
  • 76
  • FYI, I deleted my answer. After experimenting a bit, I realized I don't actually know what's going on here, either. This is very confusing to me. – elixenide Sep 07 '19 at 05:40
  • 1
    See note on https://www.php.net/memory_get_usage. memory_get_usage() on tracks memory allocated through PHP's own allocator. Memory used by 3rd party libraries is not tracked by it. – NikiC Sep 09 '19 at 18:24
  • @NikiC Is it 3rd party ? `password_hash` and `PASSWORD_ARGON2I` are core PHP, it must only be compiled using `--with-password-argon2` – MaxiWheat Sep 10 '19 at 15:55
  • @MaxiWheat The argon2i implementations are provided either by libargon2 or by libsodium, which are not part of PHP. – NikiC Sep 10 '19 at 16:29

0 Answers0