Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Where do you think Argon2 should be present before it is considered to have good library support? AFAIK, it is in libsodium, debian, ubuntu, and other distros.

And I think one can also make mistakes with scrypt when choosing parameters which Colin himself acknowledged. So isn't it time to go ahead with Argon2?



No. Use Argon2 if it's convenient to do so. Not using Argon2 isn't a security flaw.

People have weird ideas about the importance of picking password hashes. It's important not to use non-password-hashes. Other than that, which password hash you use? Not so important.


This project is in Go and Argon2 isn't a part of the standard crypto (https://golang.org/pkg/crypto/#pkg-subdirectories) or additional crypto (https://godoc.org/golang.org/x/crypto) libraries.

There are a few 3rd party implementations... But is it more secure to use a lesser known 3rd party package to have Argon2 support or is it more secure to use the more widely adopted bcrypt package supported by the Go dev community?


>This project is in Go and Argon2 isn't a part of the standard crypto

I was talking about password hashes in a general sense, not just about the current project.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact