[Cryptography] Why don't we protect passwords properly?

Patrick Mylund Nielsen cryptography at patrickmylund.com
Tue Dec 24 21:37:40 EST 2013


On Tue, Dec 24, 2013 at 1:03 PM, Krisztián Pintér <pinterkr at gmail.com>wrote:

>
>
> Arnold Reinhold (at Tuesday, December 24, 2013, 6:21:29 AM):
>
> > to substitute a better algorithm when it comes along. And is there
> > any cryptographer out there who knows the algorithm and believes
> > that scrypt could be weaker than PBKDF2? Seriously?
>
> yep, plenty. for example all that knows the principle of not using
> branching/indexing on secret. pbkdf2 does not do that, and therefore
> safe against cache timing attacks. the same can not be said about
> either bcrypt, which uses secret based s-boxes, but especially not
> scrypt, which uses secret based memory access wildly.
>

I agree that these are good reasons to look for improvements. (In fact, the
memory access concern with scrypt was one of the main reasons the Password
Hashing Competition was started.) I wholeheartedly disagree that they're
good reasons to use PBKDF2 over scrypt (which coincidentally uses PBKDF2
itself,) since scrypt is still far superior at the main goal: Making a
wholesale offline attack against all of the passwords in a user database
prohibitively expensive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131224/25e993c6/attachment.html>


More information about the cryptography mailing list