On December 12, 2023, the Italian Data Protection Authority and the National Cybersecurity Agency approved the “Guidelines on cryptographic functions – password protection” (“Guidelines”).
The purpose of the Guidelines is to provide recommendations on cryptographic functions deemed currently most secure for protecting the passwords of users stored within systems of companies and administrations acting as data controllers or processors. This aim is to limit cybercriminal attacks.
Specifically, the Guidelines recommend the use of hashing cryptographic functions. These functions generate non-reversible passwords that are not stored in plain text in the archive. Instead, only their digest is saved to ensure that no one can directly access them.
Finally, the Guidelines examine several password hashing algorithms, including:
– PBKDF2, a derivation function applying a pseudo-random function;
– Scrypt, designed to reduce the effectiveness of attacks based on specialized hardware implementations;
– Argon2id, providing protection against both side-channel attacks and dedicated brute-force attacks.