[148699] in cryptography@c2.net mail archive
Re: [Cryptography] Why don't we protect passwords properly?
daemon@ATHENA.MIT.EDU (=?utf-8?Q?Kriszti=C3=A1n_Pint=C3=A)
Wed Dec 25 14:51:03 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 25 Dec 2013 11:42:24 +0100
From: =?utf-8?Q?Kriszti=C3=A1n_Pint=C3=A9r?= <pinterkr@gmail.com>
To: Patrick Mylund Nielsen <cryptography@patrickmylund.com>
In-Reply-To: <CAEw2jfzv18pfevadBn=rTCMKv3W6pK60wn-HXs3sgXn7Z8nrCA@mail.gmail.com>
Cc: "cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Patrick Mylund Nielsen (at Wednesday, December 25, 2013, 3:37:40 AM):
> I
> wholeheartedly disagree that they're good reasons to use PBKDF2 over
> scrypt (which coincidentally uses PBKDF2 itself,) since scrypt is
> still far superior at the main goal: Making a wholesale offline
> attack against all of the passwords in a user database prohibitively expensive.
goal can be nice, but it might fail at this goal if opens a backdoor.
i would only recommend scrypt (and bcrypt for that matter) in special
circumstances (if your attack model excludes cache timings). it is
okay, specialized solutions have a place in the industry. but you need
to know goddam well if you can use it or not. for general use, i must
recommend pbkdf2, even if it is an ugly little piece of design.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
