argon2id-owasp-2024-params-for-password-hashing

The OWASP 2024 recommended argon2id parameters are time=3, memory=65536 (64MB), parallelism=4. R-Same implements these in PasswordService. Constant-time failure is enforced by running a dummy argon2 hash on unknown-email lookups to prevent user-enumeration via timing side-channels — the generic error message ‘Invalid email or password’ must never reveal account existence.

Related

• r-same-auth-constant-time-generic-errors-required
• r-same-m1-identity-backend-core-wave-1-pass-1
• constant-time-auth-prevents-email-enumeration
• constant-time-auth-failure-prevents-email-enumeration
• oracle
• argon2id-owasp-2024-settings-for-r-same-auth