0x1d
6a17236474
- Add comprehensive 8-phase implementation plan (docs/plan.md) - Add 28 Architecture Decision Records (docs/adr/) covering all phases - Add task tracking system with 283+ task files (docs/stories/) - Add task generator script for automated task file creation - Add reference playbooks and requirements documentation This commit establishes the complete planning foundation for the Go Platform implementation, documenting all architectural decisions and providing detailed task breakdown for Phases 0-8.
1.5 KiB
1.5 KiB
ADR-0018: Password Hashing Algorithm
Status
Accepted
Context
The platform needs to securely store user passwords. Requirements:
- Resist brute-force attacks
- Resist rainbow table attacks
- Future-proof against advances in computing
- Reasonable performance (not too slow)
Options considered:
- bcrypt - Battle-tested, widely used
- argon2id - Modern, memory-hard, recommended by OWASP
- scrypt - Memory-hard, good alternative
- PBKDF2 - Older standard, less secure
Decision
Use argon2id for password hashing with recommended parameters:
- Algorithm: argon2id (variant)
- Memory: 64 MB (65536 KB)
- Iterations: 3 (time cost)
- Parallelism: 4 (number of threads)
- Salt length: 16 bytes (random, unique per password)
Rationale:
- Recommended by OWASP for new applications
- Memory-hard algorithm (resistant to GPU/ASIC attacks)
- Good balance of security and performance
- Future-proof design
- Standard library support in Go 1.23+
Consequences
Positive
- Strong security guarantees
- Memory-hard (resistant to hardware attacks)
- OWASP recommended
- Standard library support
Negative
- Slightly slower than bcrypt (acceptable trade-off)
- Requires tuning parameters for production
Implementation Notes
- Use
golang.org/x/crypto/argon2package - Store hash in format:
$argon2id$v=19$m=65536,t=3,p=4$salt$hash - Use
crypto/randfor salt generation - Verify passwords with
argon2.CompareHashAndPassword() - Consider increasing parameters for high-security environments