Password hashing

Ben Laurie ben at
Sat Oct 13 07:04:06 EDT 2007

Steven M. Bellovin wrote:
> On Thu, 11 Oct 2007 22:19:18 -0700
> james hughes <hughejp at> wrote:
>> A proposal for a new password hashing based on SHA-256 or SHA-512 has
>> been proposed by RedHat but to my knowledge has not had any rigorous
>> analysis. The motivation for this is to replace MD-5 based password
>> hashing at banks where MD-5 is on the list of "do not use"
>> algorithms. I would prefer not to have the discussion "MD-5 is good
>> enough for this algorithm" since it is not an argument that the
>> customers requesting these changes are going to accept.
> NetBSD uses iterated HMAC-SHA1, where the password is the key and the
> salt is the initial plaintext.  (This is my design but not my
> implementation.)

+1 to iterated HMAC-xxx, where xxx is a cryptographic hash of your choosing.

Easy to implement, hard to get wrong, somewhat understood security




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list