draft-ietf-kitten-password-storage-06.txt   draft-ietf-kitten-password-storage-07.txt 
Common Authentication Technology Next Generation S. Whited Common Authentication Technology Next Generation S. Whited
Internet-Draft 6 April 2021 Internet-Draft 27 September 2021
Intended status: Best Current Practice Intended status: Best Current Practice
Expires: 8 October 2021 Expires: 31 March 2022
Best practices for password hashing and storage Best practices for password hashing and storage
draft-ietf-kitten-password-storage-06 draft-ietf-kitten-password-storage-07
Abstract Abstract
This document outlines best practices for handling user passwords and This document outlines best practices for handling user passwords and
other authenticator secrets in client-server systems making use of other authenticator secrets in client-server systems making use of
SASL. SASL.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 8 October 2021. This Internet-Draft will expire on 31 March 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 7, line 33 skipping to change at page 7, line 33
+----------------------------------+--------------+ +----------------------------------+--------------+
| Minimum output length | 32 | | Minimum output length | 32 |
+----------------------------------+--------------+ +----------------------------------+--------------+
Table 2: Argon Parameters Table 2: Argon Parameters
5.2. Bcrypt 5.2. Bcrypt
bcrypt [BCRYPT] is a Blowfish-based KDF. bcrypt [BCRYPT] is a Blowfish-based KDF.
+=========================+=======================+ +==========================+=======================+
| Parameter | Value | | Parameter | Value |
+=========================+=======================+ +==========================+=======================+
| Recommended Cost | 12 | | Minimum Recommended Cost | 12 |
+-------------------------+-----------------------+ +--------------------------+-----------------------+
| Maximum Password Length | 50-72 bytes depending | | Maximum Password Length | 50-72 bytes depending |
| | on the implementation | | | on the implementation |
+-------------------------+-----------------------+ +--------------------------+-----------------------+
Table 3: Bcrypt Parameters Table 3: Bcrypt Parameters
5.3. PBKDF2 5.3. PBKDF2
PBKDF2 [RFC8018] is used by the SCRAM [RFC5802] family of SASL PBKDF2 [RFC8018] is used by the SCRAM [RFC5802] family of SASL
mechanisms. mechanisms.
+=============================+================================+ +=============================+================================+
| Parameter | Value | | Parameter | Value |
+=============================+================================+ +=============================+================================+
| Minimum iteration count (c) | 310,000 | | Minimum iteration count (c) | 310,000 |
skipping to change at page 11, line 42 skipping to change at page 11, line 42
[BCRYPT] Provos, N. and D. Mazières, "A Future-Adaptable Password [BCRYPT] Provos, N. and D. Mazières, "A Future-Adaptable Password
Scheme", USENIX 1999 Scheme", USENIX 1999
https://www.usenix.org/legacy/event/usenix99/provos/ https://www.usenix.org/legacy/event/usenix99/provos/
provos.pdf, June 1999. provos.pdf, June 1999.
[I-D.irtf-cfrg-argon2] [I-D.irtf-cfrg-argon2]
Biryukov, A., Dinu, D., Khovratovich, D., and S. Biryukov, A., Dinu, D., Khovratovich, D., and S.
Josefsson, "The memory-hard Argon2 password hash and Josefsson, "The memory-hard Argon2 password hash and
proof-of-work function", Work in Progress, Internet-Draft, proof-of-work function", Work in Progress, Internet-Draft,
draft-irtf-cfrg-argon2-12, 8 September 2020, draft-irtf-cfrg-argon2-12, 8 September 2020,
<https://tools.ietf.org/html/draft-irtf-cfrg-argon2-12>. <https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-
argon2-12>.
[NISTSP132] [NISTSP132]
Turan, M., Barker, E., Burr, W., and L. Chen, Turan, M., Barker, E., Burr, W., and L. Chen,
"Recommendation for Password-Based Key Derivation Part 1: "Recommendation for Password-Based Key Derivation Part 1:
Storage Applications", NIST Special Publication SP Storage Applications", NIST Special Publication SP
800-132, DOI 10.6028/NIST.SP.800-132, December 2010, 800-132, DOI 10.6028/NIST.SP.800-132, December 2010,
<https://nvlpubs.nist.gov/nistpubs/Legacy/SP/ <https://nvlpubs.nist.gov/nistpubs/Legacy/SP/
nistspecialpublication800-132.pdf>. nistspecialpublication800-132.pdf>.
[NISTSP63-3] [NISTSP63-3]
 End of changes. 7 change blocks. 
14 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/