1. 18

  2. 3

    @codahale Given you wrote this in 2010 and updated it last in 2011, does this still apply in 2014? Are there not newer / better / sexier options available now? Why would you choose or not choose one of those?

    1. 5

      There is an enormous gulf between what came before bcrypt and the latest generation.

      1st gen: hashing (useless)

      2nd gen: hashing and salting (useful, but outdated. Now useless)

      3rd gen: slow hashing. Make the attacker actually do some work.

      I’ll include scrypt in 3rd gen. Maybe gen 3.5. At some point good enough is good enough.

      tptacek at HN has noted that nerds have the unfortunate tendency to invent controversies and always find “the best”. This then distracts from the primary message.

    2. 3

      Why not scrypt?

      1. 8

        (Author here.) Mostly a matter of availability and human factors.

        While availability has improved, scrypt’s human factors aren’t great. The parameters (N/r/p) are highly interdependent in terms of time and space costs, and it’s pretty easy to make choices there which drastically weaken scrypt relative to bcrypt. YACoin, in particular, selected poorly: http://www.openwall.com/lists/crypt-dev/2013/12/31/1.

        As long as someone’s using r≥8 and p≥1, I’m happy if they’re using scrypt. shrug

        Personally, I’m more interested in the results of the Password Hashing Competition.

        1. 2

          Here’s another example of poor scrypt parameter selection: https://hashcat.net/forum/thread-3803.html.

          From the crypt-dev conversation:

          So it appears that in terms of attacks with current GPUs scrypt at 4 MiB is comparable to bcrypt at 4 KiB. In other words, defensive use of scrypt needs 1000x more memory to provide same security against GPUs.

          That’s with r=1 and p=1. With higher r, scrypt might be more GPU-friendly (larger sequential accesses to off-chip memory).

        2. 2

          The article is 4 years old. I think if it were written today it would say “use bcrypt or scrypt”. I don’t think scrypt module support was present in a lot of languages 4 years ago.

        3. -3

          Don’t use bcrypt: http://www.unlimitednovelty.com/2012/03/dont-use-bcrypt.html

          PBKDF2 is a good recommendation today.

          1. 7

            The data that this link uses was found to be flawed. Ironic thing, though, is that this link doesn’t even cite its sources so I can’t find the rebuttal article right now.