[148692] in cryptography@c2.net mail archive
Re: [Cryptography] Why don't we protect passwords properly?
daemon@ATHENA.MIT.EDU (Patrick Mylund Nielsen)
Tue Dec 24 23:08:18 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <57817505.20131224190352@gmail.com>
Date: Tue, 24 Dec 2013 21:37:40 -0500
From: Patrick Mylund Nielsen <cryptography@patrickmylund.com>
To: =?UTF-8?B?S3Jpc3p0acOhbiBQaW50w6ly?= <pinterkr@gmail.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8832240803422086180==
Content-Type: multipart/alternative; boundary=001a11c28dccabdb5604ee52be81
--001a11c28dccabdb5604ee52be81
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Tue, Dec 24, 2013 at 1:03 PM, Kriszti=C3=A1n Pint=C3=A9r <pinterkr@gmail=
.com>wrote:
>
>
> Arnold Reinhold (at Tuesday, December 24, 2013, 6:21:29 AM):
>
> > to substitute a better algorithm when it comes along. And is there
> > any cryptographer out there who knows the algorithm and believes
> > that scrypt could be weaker than PBKDF2? Seriously?
>
> yep, plenty. for example all that knows the principle of not using
> branching/indexing on secret. pbkdf2 does not do that, and therefore
> safe against cache timing attacks. the same can not be said about
> either bcrypt, which uses secret based s-boxes, but especially not
> scrypt, which uses secret based memory access wildly.
>
I agree that these are good reasons to look for improvements. (In fact, the
memory access concern with scrypt was one of the main reasons the Password
Hashing Competition was started.) I wholeheartedly disagree that they're
good reasons to use PBKDF2 over scrypt (which coincidentally uses PBKDF2
itself,) since scrypt is still far superior at the main goal: Making a
wholesale offline attack against all of the passwords in a user database
prohibitively expensive.
--001a11c28dccabdb5604ee52be81
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On T=
ue, Dec 24, 2013 at 1:03 PM, Kriszti=C3=A1n Pint=C3=A9r <span dir=3D"ltr">&=
lt;<a href=3D"mailto:pinterkr@gmail.com" target=3D"_blank">pinterkr@gmail.c=
om</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><br>
<br>
Arnold Reinhold (at Tuesday, December 24, 2013, 6:21:29 AM):<br>
<div class=3D"im"><br>
> to substitute a better algorithm when it comes along. And is there<br>
> any cryptographer out there who knows the algorithm and believes<br>
> that scrypt could be weaker than PBKDF2? Seriously?<br>
<br>
</div>yep, plenty. for example all that knows the principle of not using<br=
>
branching/indexing on secret. pbkdf2 does not do that, and therefore<br>
safe against cache timing attacks. the same can not be said about<br>
either bcrypt, which uses secret based s-boxes, but especially not<br>
scrypt, which uses secret based memory access wildly.<br></blockquote><div>=
<br></div><div>I agree that these are good reasons to look for improvements=
. (In fact, the memory access concern with scrypt was one of the main reaso=
ns the Password Hashing Competition was started.) I wholeheartedly disagree=
that they're good reasons to use PBKDF2 over scrypt (which coincidenta=
lly uses PBKDF2 itself,) since scrypt is still far superior at the main goa=
l: Making a wholesale offline attack against all of the passwords in a user=
database prohibitively expensive.</div>
</div></div></div>
--001a11c28dccabdb5604ee52be81--
--===============8832240803422086180==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8832240803422086180==--
